Kubernetes CSI Driver for NFS Flaw Allows Attackers to Modify or Delete Server Data

A newly disclosed vulnerability in the Kubernetes Container Storage Interface (CSI) Driver for Network File System (NFS) is raising concerns among security teams, as it could allow attackers to delete or modify critical directories on NFS servers.

Tracked as CVE-2026-3864, the flaw carries a CVSS v3.1 score of 6.5, indicating medium severity. It was identified by SentinelOne researcher Shaul Ben Hai and affects all versions of the Kubernetes NFS CSI driver before v4.13.1.

Root Cause and Technical Details

The vulnerability stems from improper input validation in the handling of the “subDir” parameter within volume identifiers.

In Kubernetes environments, this parameter specifies the subdirectory on the NFS server where a volume should be mounted.

In affected versions, the CSI driver fails to properly sanitize user-supplied input. This oversight allows attackers to inject path traversal sequences such as “../” into the volume identifier.

As a result, the driver may interpret malicious paths as legitimate during storage operations.

The issue becomes particularly dangerous during routine lifecycle events such as volume deletion. When the driver attempts to remove directories, it may follow the manipulated path and operate outside the intended storage location.

To successfully exploit this flaw, an attacker must already have permissions to create PersistentVolumes that use the NFS CSI driver.

While this requirement limits exposure, it does not eliminate risk, especially in multi-tenant or misconfigured environments.

Once these privileges are obtained, an attacker can craft malicious volume identifiers containing traversal sequences.

This allows them to:

• Delete arbitrary directories on the NFS server
• Modify existing storage paths
• Disrupt shared storage used by other workloads

Importantly, the impact extends beyond the Kubernetes cluster itself, directly affecting the underlying NFS infrastructure and potentially multiple applications relying on shared storage.

Detection and Threat Hunting

Security teams should immediately audit their environments for signs of exploitation. Key steps include:

• Reviewing the “volumeHandle” field in PersistentVolumes for suspicious traversal patterns
• Analyzing the CSI controller logs for abnormal directory operations
• Identifying log entries that include paths with repeated traversal sequences (e.g., “../../../”)

Such indicators may signal attempts to manipulate or delete unintended directories.

The primary mitigation is to upgrade the Kubernetes NFS CSI driver to version 4.13.1 or later, which includes proper validation to block path traversal attempts.

Until patching is complete, organizations should:

• Restrict PersistentVolume creation privileges to trusted users only
• Audit NFS export configurations to ensure minimal write access
• Enforce strict role-based access control (RBAC) policies

This vulnerability highlights the broader risk of insufficient input validation in storage components. As Kubernetes adoption continues to grow, securing storage interfaces remains essential to protecting both cluster workloads and backend infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Kubernetes CSI Driver for NFS Flaw Allows Attackers to Modify or Delete Server Data appeared first on Cyber Security News.