cbcvebase.
CVE-2026-33343
published 2026-03-26

CVE-2026-33343: etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC…

PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.21%
11.3th percentile
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianetcd
etcd-ioetcd< 3.4.423.4.42
etcd-ioetcd
etcd-ioetcd
etcdetcd< 3.4.423.4.42
etcdetcd>= 3.5.0 < 3.5.283.5.28
etcdetcd>= 3.6.0 < 3.6.93.6.9
go.etcd.ioetcd0 – 3.3.27
go.etcd.ioetcd_v3>= 0 < 3.4.423.4.42
go.etcd.ioetcd_v3>= 3.5.0-alpha.0 < 3.5.283.5.28
go.etcd.ioetcd_v3>= 3.6.0-alpha.0 < 3.6.93.6.9
msrcazl3_etcd_3.5.21-1_on_azure_linux_3.0
msrccbl2_etcd_3.5.21-4_on_cbl_mariner_2.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5NONE
vendor_redhat6.5NONE
vendor_msrc5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.