Path Traversal Vulnerability in Kubernetes CSI Driver for NFS
CVE-2026-3864

6.5MEDIUM

Key Information:

Vendor

Kubernetes
Status
Csi Driver For Nfs
Vendor
CVE Published:
20 March 2026

What is CVE-2026-3864?

CVE-2026-3864 is a significant vulnerability identified within the Kubernetes CSI Driver for NFS (Network File System), a critical component used for managing storage in Kubernetes environments. This vulnerability arises from inadequate validation of the subDir parameter in volume identifiers, allowing attackers with permissions to create PersistentVolumes to craft malicious volume identifiers. By inserting path traversal sequences (such as ../), these attackers can manipulate the operations of the CSI driver, particularly during volume deletion or cleanup. This could lead to unintended interactions with directories outside the controlled managed path on the NFS server, potentially causing unauthorized deletions or modifications of vital directories. The implications of this flaw are serious, as it threatens the integrity and availability of data stored within NFS exports, which are essential for many Kubernetes-based applications.

Potential impact of CVE-2026-3864

  1. Data Loss and Corruption: Exploiting this vulnerability may result in unauthorized deletion or modification of files and directories on an NFS server, leading to critical data loss and corruption that can disrupt business operations.

  2. Compromised System Integrity: The ability to manipulate directories can undermine the security posture of the affected environment, as attackers could potentially gain access to sensitive data or operational resources, weakening overall system integrity.

  3. Service Disruption: Organizations relying on NFS for their Kubernetes deployments could experience significant service interruptions, as unintended changes or deletions could affect the functionality of applications relying on the storage systems, leading to downtime and resource wastage.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CSI Driver for NFS 0 < 4.13.1

CSI Driver for NFS 4.13.1

References

https://groups.google.com/g/kubernetes-security-announce/...
mailing-list
https://github.com/kubernetes/kubernetes/issues/137797
issue-tracking

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Shaul Ben Hai, Senior Staff Security Researcher, SentinelOne
JSON
.