DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-6437: CVE-2026-6437: Mount Option Injection in Amazon EFS CSI Driver

#security #cve #cybersecurity

CVE-2026-6437: Mount Option Injection in Amazon EFS CSI Driver

Vulnerability ID: CVE-2026-6437
CVSS Score: 6.5
Published: 2026-04-18

The Amazon EFS CSI Driver contains an argument injection vulnerability (CWE-88) in versions prior to v3.0.1. Unsanitized values in the volumeHandle and mounttargetip fields allow authenticated users with PersistentVolume creation permissions to inject arbitrary mount options.

TL;DR

Authenticated Kubernetes users can bypass mount restrictions by injecting arbitrary comma-separated mount options via unsanitized PersistentVolume fields in the AWS EFS CSI Driver.

Technical Details

  • CWE ID: CWE-88: Argument Injection
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5 (Medium)
  • EPSS Score: 0.00029 (8.06%)
  • Privileges Required: High (PersistentVolume Creation)
  • Exploit Status: Unexploited / PoC available
  • CISA KEV: Not Listed

Affected Systems

  • Amazon EFS CSI Driver (aws-efs-csi-driver) versions < 3.0.1
  • Kubernetes clusters utilizing the vulnerable AWS EFS CSI driver
  • aws-efs-csi-driver: < 3.0.1 (Fixed in: 3.0.1)

Code Analysis

Commit: 51806c2

Fix argument injection in mount options by adding strict net.ParseIP validation to mounttargetip field.

Mitigation Strategies

  • Upgrade the Amazon EFS CSI Driver daemonset to v3.0.1 or higher.
  • Restrict Kubernetes RBAC permissions for PersistentVolume and StorageClass creation.
  • Deploy OPA Gatekeeper or Kyverno policies to validate and sanitize volume attributes.
  • Monitor Kubernetes audit logs for irregular characters in volume provisioning requests.

Remediation Steps:

  1. Identify the current version of the aws-efs-csi-driver deployed in the cluster.
  2. Review RBAC roles to ensure only cluster-admin equivalents can create PersistentVolumes.
  3. Apply the v3.0.1 (or latest) release manifests or update the corresponding Helm chart.
  4. Verify the daemonset rollout across all worker nodes is complete.
  5. Test volume provisioning to confirm the updated driver maintains operational functionality.

References

Read the full report for CVE-2026-6437 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)