CVE-2026-3864

Name of the Vulnerable Software and Affected Versions Kubernetes CSI Driver for NFS (affected versions not specified)

Description A flaw exists in the Kubernetes CSI Driver for NFS related to insufficient validation of the subDir parameter within volume identifiers. An attacker capable of creating PersistentVolumes utilizing the NFS CSI driver can construct volume identifiers containing path traversal sequences (../). This manipulation could allow the driver to operate on directories outside the intended managed path during volume deletion or cleanup, potentially leading to unauthorized deletion or modification of directories on the NFS server. The vulnerable parameter is subDir.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.