CVE-2026-33343
published 2026-03-26CVE-2026-33343: etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC…
PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.21%
11.3th percentile
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | etcd | — | — |
| etcd-io | etcd | < 3.4.42 | 3.4.42 |
| etcd-io | etcd | — | — |
| etcd-io | etcd | — | — |
| etcd | etcd | < 3.4.42 | 3.4.42 |
| etcd | etcd | >= 3.5.0 < 3.5.28 | 3.5.28 |
| etcd | etcd | >= 3.6.0 < 3.6.9 | 3.6.9 |
| go.etcd.io | etcd | 0 – 3.3.27 | — |
| go.etcd.io | etcd_v3 | >= 0 < 3.4.42 | 3.4.42 |
| go.etcd.io | etcd_v3 | >= 3.5.0-alpha.0 < 3.5.28 | 3.5.28 |
| go.etcd.io | etcd_v3 | >= 3.6.0-alpha.0 < 3.6.9 | 3.6.9 |
| msrc | azl3_etcd_3.5.21-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_etcd_3.5.21-4_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5NONE
vendor_redhat6.5NONE
vendor_msrc5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
etcd: etcd: Authorization bypass allows information disclosure via nested transactions
vendor_redhat·2026-03-26·CVSS 6.5
CVE-2026-33343 [NONE] CWE-639 etcd: etcd: Authorization bypass allows information disclosure via nested transactions
etcd: etcd: Authorization bypass allows information disclosure via nested transactions
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce e
Microsoft
etcd: Nested etcd transactions bypass RBAC authorization checks
vendor_msrc·2026-03-10·CVSS 5.4
CVE-2026-33343 [NONE] CWE-863 etcd: Nested etcd transactions bypass RBAC authorization checks
etcd: Nested etcd transactions bypass RBAC authorization checks
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-33343: etcd - etcd is a distributed key-value store for the data of a distributed system. Prio...
vendor_debian·2026·CVSS 6.5
CVE-2026-33343 [NONE] CVE-2026-33343: etcd - etcd is a distributed key-value store for the data of a distributed system. Prio...
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network a
OSV
Nested etcd transactions bypass RBAC authorization checks in go.etcd.io/etcd
osv·2026-04-07
CVE-2026-33343 Nested etcd transactions bypass RBAC authorization checks in go.etcd.io/etcd
Nested etcd transactions bypass RBAC authorization checks in go.etcd.io/etcd
Nested etcd transactions bypass RBAC authorization checks in go.etcd.io/etcd
OSV
CVE-2026-33343: etcd is a distributed key-value store for the data of a distributed system
osv·2026-03-26·CVSS 6.5
CVE-2026-33343 [MEDIUM] CVE-2026-33343: etcd is a distributed key-value store for the data of a distributed system
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network a
GHSA
etcd: Nested etcd transactions bypass RBAC authorization checks
ghsa·2026-03-20
CVE-2026-33343 [LOW] CWE-863 etcd: Nested etcd transactions bypass RBAC authorization checks
etcd: Nested etcd transactions bypass RBAC authorization checks
### Impact
_What kind of vulnerability is it? Who is impacted?_
An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
This vulnerability is patched in the following versions:
* etcd 3.6.9
* etcd 3.5.28
* etcd 3.4
OSV
etcd: Nested etcd transactions bypass RBAC authorization checks
osv·2026-03-20
CVE-2026-33343 [LOW] etcd: Nested etcd transactions bypass RBAC authorization checks
etcd: Nested etcd transactions bypass RBAC authorization checks
### Impact
_What kind of vulnerability is it? Who is impacted?_
An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
This vulnerability is patched in the following versions:
* etcd 3.6.9
* etcd 3.5.28
* etcd 3.4
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33413 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery
Wiz
CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33343 [NONE] CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33343 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the
Bugzilla
CVE-2026-33343 etcd: etcd: Authorization bypass allows information disclosure via nested transactions [fedora-42]
bugzilla·2026-03-27·CVSS 6.5
CVE-2026-33343 [MEDIUM] CVE-2026-33343 etcd: etcd: Authorization bypass allows information disclosure via nested transactions [fedora-42]
CVE-2026-33343 etcd: etcd: Authorization bypass allows information disclosure via nested transactions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently mai
2026-03-26
Published