CVE-2026-33413
published 2026-03-26CVE-2026-33413: etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.25%
16.0th percentile
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | etcd | — | — |
| etcd-io | etcd | < 3.4.42 | 3.4.42 |
| etcd-io | etcd | — | — |
| etcd-io | etcd | — | — |
| etcd | etcd | < 3.4.42 | 3.4.42 |
| etcd | etcd | >= 3.5.0 < 3.5.28 | 3.5.28 |
| etcd | etcd | >= 3.6.0 < 3.6.9 | 3.6.9 |
| go.etcd.io | etcd | 0 – 3.3.27 | — |
| go.etcd.io | etcd_v3 | >= 0 < 3.4.42 | 3.4.42 |
| go.etcd.io | etcd_v3 | >= 3.5.0-alpha.0 < 3.5.28 | 3.5.28 |
| go.etcd.io | etcd_v3 | >= 3.6.0-alpha.0 < 3.6.9 | 3.6.9 |
| msrc | azl3_etcd_3.5.21-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_etcd_3.5.21-4_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated gRPC calls to etcd MemberList RPC — this API should require authentication but is bypassable in unpatched versions; monitor for calls from untrusted or unexpected client sources ↗
- →Detect unauthenticated or unexpected gRPC calls to etcd Alarm RPC, which can be abused for operational disruption or denial of service ↗
- →Detect unauthenticated or unexpected use of etcd Lease APIs from untrusted clients, which can interfere with TTL-based keys and lease ownership ↗
- →Detect unauthenticated or unexpected compaction requests to etcd, which permanently remove historical revisions and can disrupt watch, audit, and recovery workflows ↗
- →Flag etcd clusters exposing the gRPC API to untrusted or partially trusted clients with etcd auth enabled but running versions prior to 3.4.42, 3.5.28, or 3.6.9 ↗
- ·The vulnerability only applies when etcd's built-in authentication is enabled; treat the affected RPCs (MemberList, Alarm, Lease, Compact) as unauthenticated in practice if patching is not immediately possible, and restrict network access to etcd server ports to trusted components only ↗
- ·Multiple Red Hat product packages are confirmed affected, including openshift4/ose-etcd-rhel9, openshift-gitops argocd images, Red Hat OpenStack Platform etcd packages, and others — check Red Hat advisory for full package list ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authorization bypasses in multiple APIs in go.etcd.io/etcd
osv·2026-04-07
CVE-2026-33413 Authorization bypasses in multiple APIs in go.etcd.io/etcd
Authorization bypasses in multiple APIs in go.etcd.io/etcd
Authorization bypasses in multiple APIs in go.etcd.io/etcd
OSV
CVE-2026-33413: etcd is a distributed key-value store for the data of a distributed system
osv·2026-03-26·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413: etcd is a distributed key-value store for the data of a distributed system
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentic
GHSA
etcd: Authorization bypasses in multiple APIs
ghsa·2026-03-20
CVE-2026-33413 [HIGH] CWE-862 etcd: Authorization bypasses in multiple APIs
etcd: Authorization bypasses in multiple APIs
### Impact
_What kind of vulnerability is it? Who is impacted?_
Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.
In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to:
- call MemberList and learn cluster topology, including member IDs and advertised endpoints
- call Alarm, which can be abused for operational disruption or denial of service
- use Lease APIs, interfering with TTL-based keys and lease ownership
- trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows
Kubernetes does not rely on etc
OSV
etcd: Authorization bypasses in multiple APIs
osv·2026-03-20
CVE-2026-33413 [HIGH] etcd: Authorization bypasses in multiple APIs
etcd: Authorization bypasses in multiple APIs
### Impact
_What kind of vulnerability is it? Who is impacted?_
Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.
In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to:
- call MemberList and learn cluster topology, including member IDs and advertised endpoints
- call Alarm, which can be abused for operational disruption or denial of service
- use Lease APIs, interfering with TTL-based keys and lease ownership
- trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows
Kubernetes does not rely on etc
Red Hat
etcd: etcd: Authorization bypass allows information disclosure and denial of service
vendor_redhat·2026-03-26·CVSS 8.8
CVE-2026-33413 [HIGH] CWE-306 etcd: etcd: Authorization bypass allows information disclosure and denial of service
etcd: etcd: Authorization bypass allows information disclosure and denial of service
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch
Microsoft
etcd: Authorization bypasses in multiple APIs
vendor_msrc·2026-03-10·CVSS 8.8
CVE-2026-33413 [HIGH] CWE-862 etcd: Authorization bypasses in multiple APIs
etcd: Authorization bypasses in multiple APIs
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-33413: etcd - etcd is a distributed key-value store for the data of a distributed system. Prio...
vendor_debian·2026·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413: etcd - etcd is a distributed key-value store for the data of a distributed system. Prio...
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentic
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service [fedora-42]
bugzilla·2026-03-26·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service [fedora-42]
CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maint
Bugzilla
CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service
bugzilla·2026-03-26·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service
CVE-2026-33413 etcd: etcd: Authorization bypass allows information disclosure and denial of service
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and d
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
Wiz
CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33413 [HIGH] CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33413 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery
Wiz
CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33343 [NONE] CVE-2026-33343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33343 :
etcd vulnerability analysis and mitigation
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the
2026-03-26
Published