Bulletin ID: 2026-016-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/17/2026 11:15 AM PDT
 

Description:

The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System.

We identified CVE-2026-6437, where an actor with PersistentVolume creation privileges can inject arbitrary mount options via two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute. In both cases, appending comma-separated values causes the mount utility to parse them as separate mount options.

Impacted versions: EFS CSI Driver <= v3.0.0

Resolution:

This issue has been addressed in EFS CSI Driver version v3.0.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Restrict PersistentVolume and StorageClass creation to cluster administrators using Kubernetes RBAC, preventing untrusted users from supplying arbitrary field values.

References:

• CVE-2026-6437
• GHSA-mph4-q2vm-w2pw

Acknowledgement:

We would like to thank Shaul Ben-Hai from Sentinel One for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.