What is 2026-016-AWS?

2026-016-AWS is a security advisory published by AWS Security Bulletins. CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver

Which CVE IDs does 2026-016-AWS cover?

2026-016-AWS covers the following CVE IDs: CVE-2026-6437. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

2026-016-AWS

CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver

Vendor

AWS Security Bulletins

Published

April 17, 2026

Last Modified

—

🔗 CVE IDs covered (1)

CVE-2026-6437 →

📋 Description

Bulletin ID: 2026-016-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/17 11:15 AM PDT Description: The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. We identified CVE-2026-6437, where an actor with PersistentVolume creation privileges can inject arbitrary mount options via two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute. In both cases, appending comma-separated values causes the mount utility to parse them as separate mount options. No AWS service is affected. Impacted versions: EFS CSI Driver Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)

advisoryhttps://aws.amazon.com/security/security-bulletins/rss/2026-016-aws/