[Security Advisory] CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB server

19 views
Skip to first unread message

Vinayak Goyal

unread,
Apr 10, 2026, 7:42:06 PM (2 days ago) Apr 10
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io

Hello Kubernetes Community,


A vulnerability was identified in the Kubernetes CSI Driver for SMB where insufficient validation of the subDir parameter in volume identifiers could allow path traversal. A malicious user with the ability to create a PersistentVolume referencing the SMB CSI driver could craft a volumeHandle containing traversal sequences (for example ../). When the driver performs cleanup operations during volume deletion, these sequences may cause the driver to operate on unintended directories on the SMB server.


An attacker exploiting this flaw could cause deletion or modification of directories outside the intended managed subdirectory within the SMB export.


This issue has been rated Medium (6.5) with CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H and assigned CVE-2026-3865.



Am I vulnerable?


You may be vulnerable if:

  • You run the CSI Driver for SMB (smb.csi.k8s.io)

  • Your cluster allows users to create PersistentVolumes referencing the SMB CSI driver

  • Your CSI driver version does not validate traversal sequences in the subDir field


Affected Versions

  • All versions of the CSI Driver for SMB prior to the v1.20.1 release containing the fix for traversal validation are affected.

How do I mitigate this vulnerability?


This issue can be mitigated by:

  • Upgrading the CSI Driver for SMB to a patched version

  • Restricting PersistentVolume creation privileges to trusted administrators

  • Reviewing SMB exports to ensure only intended directories are writable by the driver


As a best practice, untrusted users should not be granted permission to create arbitrary PersistentVolumes referencing external storage drivers.

Fixed Versions

  • CSI Driver for SMB versions >= v1.20.1

Detection

To determine if your cluster may be affected:

  • Inspect PersistentVolumes using the SMB CSI driver and review the volumeHandle field.

  • Look for traversal sequences such as: `../`

  • Review CSI controller logs for unexpected directory operations. e.g. “Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir”


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/138319 


Acknowledgements


This vulnerability was reported by @Shaul Ben Hai, Senior Staff Security Researcher from SentinelOne.


The issue was fixed by the CSI Driver for SMB maintainers and the Kubernetes Security Response Committee. 


Andy Zhang @andyzhangx

Vinayak Goyal @vinayakankugoyal


Thank You,

Vinayak Goyal on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages