CVE-2026-3864 - Vulnerability Details - OpenCVE

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/kubernetes/kubernetes/issues/137797
https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE

History

Fri, 20 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.
Title		CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server
Weaknesses		CWE-22
References		https://github.com/kubernetes/kubernetes/issues/137797 https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2026-03-20T22:21:33.827Z

Updated: 2026-03-20T23:10:38.486Z

Reserved: 2026-03-10T06:18:16.575Z

Link: CVE-2026-3864

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3864", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2026-03-10T06:18:16.575Z", "datePublished": "2026-03-20T22:21:33.827Z", "dateUpdated": "2026-03-20T23:10:38.486Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CSI Driver for NFS", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "0", "lessThan": "4.13.1", "versionType": "semver"}, {"status": "unaffected", "version": "4.13.1"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Shaul Ben Hai, Senior Staff Security Researcher, SentinelOne"}], "datePublic": "2026-03-17T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export, which may lead to deletion or modification of directories on the NFS server.</div>"}], "value": "A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Path Traversal", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2026-03-20T22:21:33.827Z"}, "references": [{"tags": ["mailing-list"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE"}, {"tags": ["issue-tracking"], "url": "https://github.com/kubernetes/kubernetes/issues/137797"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Upgrade the CSI Driver for NFS to version 4.13.1 or later. As mitigations, restrict PersistentVolume creation privileges to trusted administrators and review NFS exports to ensure only intended directories are writable by the driver.</div>"}], "value": "Upgrade the CSI Driver for NFS to version 4.13.1 or later. As mitigations, restrict PersistentVolume creation privileges to trusted administrators and review NFS exports to ensure only intended directories are writable by the driver."}], "source": {"discovery": "EXTERNAL"}, "title": "CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-20T23:10:38.486Z"}}]}}