CVE-2026-3864 is a path traversal vulnerability (CWE-22) identified in the Kubernetes Container Storage Interface (CSI) Driver for NFS. The vulnerability stems from inadequate validation of the subDir parameter within volume identifiers used by the driver. Specifically, when a PersistentVolume referencing the NFS CSI driver is created, an attacker with the necessary permissions can embed path traversal sequences such as '../' in the subDir field. During volume deletion or cleanup operations, the driver processes these crafted paths without proper sanitization, potentially operating on directories outside the intended managed path within the NFS export. This behavior can lead to unintended deletion or modification of critical directories on the NFS server, compromising data integrity and availability. The CVSS 3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, required privileges (high), no user interaction, and impacts on integrity and availability. Although no known exploits are reported in the wild, the vulnerability poses a significant risk in environments where users have the ability to create PersistentVolumes. The affected versions are unspecified but presumably include all versions prior to a patch. The vulnerability highlights the importance of rigorous input validation in storage drivers to prevent unauthorized filesystem access beyond designated boundaries.

The primary impact of CVE-2026-3864 is the potential unauthorized modification or deletion of directories on the NFS server used by Kubernetes clusters. This can lead to data loss, service disruption, and potential downtime for applications relying on persistent storage. Since the vulnerability allows traversal outside the intended directory, critical system or application data stored on the NFS export could be affected, impacting data integrity and availability. Organizations with multi-tenant Kubernetes environments or those allowing developers or users to create PersistentVolumes without strict controls are at higher risk. The attack requires high privileges (ability to create PersistentVolumes), limiting exposure to trusted insiders or compromised accounts with elevated permissions. However, exploitation could facilitate lateral movement or sabotage within the infrastructure. The absence of known exploits in the wild suggests limited immediate threat but does not preclude future exploitation. Overall, the vulnerability undermines trust in storage isolation mechanisms and could have cascading effects on cloud-native applications and services.

To mitigate CVE-2026-3864, organizations should: 1) Apply vendor patches or updates to the Kubernetes CSI Driver for NFS as soon as they become available to ensure proper validation of the subDir parameter. 2) Restrict the ability to create PersistentVolumes to trusted administrators only, minimizing the risk of malicious volume definitions. 3) Implement admission controllers or policy enforcement tools (e.g., Open Policy Agent) to validate PersistentVolume specifications and reject those containing path traversal sequences or suspicious subDir values. 4) Monitor and audit PersistentVolume creation and deletion events for anomalous activity. 5) Use network segmentation and access controls to limit NFS server exposure and isolate storage backends. 6) Regularly back up NFS data to enable recovery in case of accidental or malicious deletion. 7) Conduct security reviews of storage drivers and configurations to detect similar input validation weaknesses. These measures collectively reduce the attack surface and limit potential damage from exploitation.