CVE- 2025-62878 is a critical 10.0 flaw in Kubernetes’ Local Path Provisioner, a core storage component used to manage local storage in clusters. The vulnerability lets an attacker break out of the storage sandbox and write files anywhere on the host, by abusing the pathPattern parameter which determines data storage locations and fails to sanitise input.
By injecting directory traversal characters such as ../../, a malicious user can cause PersistentVolumes to be created outside the intended base path, potentially overwriting sensitive files or accessing unintended directories, including examples like /etc. The SUSE Rancher Security team has issued an urgent advisory, and the fix is available in version v0.0.34; administrators running older versions are told there are no workarounds and must upgrade to a patched release to fully mitigate the issue.
With a CVSS score of 10, this represents a “drop everything and patch” scenario for any Kubernetes deployment using Local Path Provisioner. February 9, 2026. according to SUSE Rancher Security.