CVE-2026-6437
Argument Delimiter Injection in AWS EFS CSI Driver Mount Options
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_efs_csi_driver | 3.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper neutralization of argument delimiters in the volume handling component of the AWS EFS CSI Driver before version 3.0.1. It allows remote authenticated users who have permissions to create PersistentVolumes to inject arbitrary mount options by exploiting comma injection.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an authenticated user with PersistentVolume creation permissions to inject arbitrary mount options. This could lead to unauthorized changes in how volumes are mounted, potentially compromising the confidentiality and integrity of data accessed through these volumes.
What immediate steps should I take to mitigate this vulnerability?
To remediate this issue, users should upgrade the AWS EFS CSI Driver to version v3.0.1 or later.