CVE-2026-6437 Amazon CVE debrief

Who should care

Organizations running AWS EFS CSI Driver versions prior to v3.0.1 in Kubernetes environments, particularly those with multi-tenant clusters where PersistentVolume creation permissions may be granted to non-administrative users. Platform engineering teams, Kubernetes cluster administrators, and security teams responsible for container storage security should prioritize this update.

Technical summary

The AWS EFS CSI Driver's volume handling component fails to properly neutralize argument delimiters, specifically commas, in mount option processing. An authenticated attacker with PersistentVolume creation permissions can inject additional mount options by including comma characters in input fields that are subsequently passed to mount commands. This could allow manipulation of filesystem mount behavior, potentially leading to unauthorized data access or integrity violations within the Kubernetes cluster. The vulnerability is addressed in version v3.0.1 through proper input sanitization.

Defensive priority

medium

Recommended defensive actions

• Upgrade aws-efs-csi-driver to version v3.0.1 or later
• Review and restrict PersistentVolume creation permissions to only trusted principals
• Audit existing PersistentVolume configurations for unexpected mount options
• Monitor for anomalous mount option usage in EFS CSI Driver deployments
• Apply principle of least privilege for Kubernetes RBAC roles related to volume management

Evidence notes

The vulnerability is classified as CWE-88 (Improper Neutralization of Argument Delimiters in a Command). The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges, with high integrity impact to the system cluster. The affected product is the Amazon EFS CSI Driver for Kubernetes, with versions prior to 3.0.1 being vulnerable.

Official resources