CVE-2026-6437

MEDIUM

AWS EFS CSI Driver Mount Option Injection

Title source: cna

Description

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection. To remediate this issue, users should upgrade to version v3.0.1

References (3)

[Vendor Advisory] https://aws.amazon.com/security/security-bulletins/2026-016-aws/

[Third Party Advisory] https://github.com/kubernetes-sigs/aws-efs-csi-driver/security/advisories/GHSA-mph4-q2vm-w2pw

[Patch] https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/tag/v3.0.1

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (2)

Amazon/AWS EFS CSI Driver 3.0.1

kubernetes-sigs/aws-efs-csi-driver 0 - 1.7.8-0.20260416142831-51806c22c575Go

Published Apr 17, 2026

Tracked Since Apr 18, 2026