CVE-2026-33343

EUVD-2026-14016

26.03.2026, 14:16

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	0 NONE	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
GitHub_M	CNA	0 NONE	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
etcd	etcd	𝑥 < 3.4.42
etcd	etcd	3.5.0 ≤ 𝑥 < 3.5.28
etcd	etcd	3.6.0 ≤ 𝑥 < 3.6.9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

etcd

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q