VYPR
← All advisories
Medium severity6.5GHSA Advisory· Published Apr 17, 2026· Updated Apr 20, 2026

CVE-2026-6437

CVE-2026-6437

Description

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection.

To remediate this issue, users should upgrade to version v3.0.1

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/kubernetes-sigs/aws-efs-csi-driverGo
< 1.7.8-0.20260416142831-51806c22c5751.7.8-0.20260416142831-51806c22c575

Affected products

1

Patches

1
51806c22c575

Validate mountTargetIp as a valid IP address in NodePublishVolume

https://github.com/kubernetes-sigs/aws-efs-csi-driverDavid XuApr 9, 2026via ghsa
commit
1 file changed · +5 2
  • pkg/driver/node.go+5 2 modified
    @@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"os"
 	"path"
 	"regexp"
@@ -112,8 +113,10 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 				return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Volume context property %q must be a boolean value: %v", k, err))
 			}
 		case MountTargetIp:
-			ipAddr := volContext[MountTargetIp]
-			mountOptions = append(mountOptions, MountTargetIp+"="+ipAddr)
+			if net.ParseIP(v) == nil {
+				return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Volume context property %q=%q is not a valid IP address", k, v))
+			}
+			mountOptions = append(mountOptions, MountTargetIp+"="+v)
 		case CrossAccount:
 			var err error
 			crossAccountDNSEnabled, err = strconv.ParseBool(v)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.