PT-2026-25942 · Kubernetes · Kubernetes-Csi-Driver-Nfs
Shaul Ben Hai
·
Published
2026-03-17
·
Updated
2026-03-27
·
CVE-2026-3864
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kubernetes CSI Driver for NFS (affected versions not specified)
Description
A flaw exists in the Kubernetes CSI Driver for NFS related to insufficient validation of the
subDir parameter within volume identifiers. An attacker capable of creating PersistentVolumes utilizing the NFS CSI driver can construct volume identifiers containing path traversal sequences (../). This manipulation could allow the driver to operate on directories outside the intended managed path during volume deletion or cleanup, potentially leading to unauthorized deletion or modification of directories on the NFS server. The vulnerable parameter is subDir.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kubernetes-Csi-Driver-Nfs