AWS EFS CSI Driver <v3.0.1: Mount Option Injection via Argument Delimiter
CVE-2026-6437 Published on April 17, 2026

AWS EFS CSI Driver Mount Option Injection
Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection. To remediate this issue, users should upgrade to version v3.0.1

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-6437 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2026-6437 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2026-6437

Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.

Amazon Aws
 

Affected Versions

Amazon AWS EFS CSI Driver Version 3.0.1 is unaffected by CVE-2026-6437