CVE-2026-6437

MEDIUM 6.5

AWS EFS CSI Driver Mount Option Injection

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection. To remediate this issue, users should upgrade to version v3.0.1

CWE	CWE-88
Vendor	amazon
Product	aws efs csi driver
Published	Apr 17, 2026
Last Updated	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for amazon aws efs csi driver

Be the first to know when new medium vulnerabilities affecting amazon aws efs csi driver are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Amazon / AWS EFS CSI Driver

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

aws.amazon.com: https://aws.amazon.com/security/security-bulletins/2026-016-aws/ github.com: https://github.com/kubernetes-sigs/aws-efs-csi-driver/security/advisories/GHSA-mph4-q2vm-w2pw github.com: https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/tag/v3.0.1