CVE-2026-3864

Published: Mar 20, 2026

Modified: Mar 23, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.

Vendor	Product	Versions
Kubernetes	CSI Driver for NFS	affected `0 - < 4.13.1` unaffected `4.13.1`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

References

https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE

mailing-list

https://github.com/kubernetes/kubernetes/issues/137797

issue-tracking

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3864

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References