cbcvebase.
CVE-2026-33413
published 2026-03-26

CVE-2026-33413: etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.25%
16.0th percentile
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianetcd
etcd-ioetcd< 3.4.423.4.42
etcd-ioetcd
etcd-ioetcd
etcdetcd< 3.4.423.4.42
etcdetcd>= 3.5.0 < 3.5.283.5.28
etcdetcd>= 3.6.0 < 3.6.93.6.9
go.etcd.ioetcd0 – 3.3.27
go.etcd.ioetcd_v3>= 0 < 3.4.423.4.42
go.etcd.ioetcd_v3>= 3.5.0-alpha.0 < 3.5.283.5.28
go.etcd.ioetcd_v3>= 3.6.0-alpha.0 < 3.6.93.6.9
msrcazl3_etcd_3.5.21-1_on_azure_linux_3.0
msrccbl2_etcd_3.5.21-4_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated gRPC calls to etcd MemberList RPC — this API should require authentication but is bypassable in unpatched versions; monitor for calls from untrusted or unexpected client sources
  • Detect unauthenticated or unexpected gRPC calls to etcd Alarm RPC, which can be abused for operational disruption or denial of service
  • Detect unauthenticated or unexpected use of etcd Lease APIs from untrusted clients, which can interfere with TTL-based keys and lease ownership
  • Detect unauthenticated or unexpected compaction requests to etcd, which permanently remove historical revisions and can disrupt watch, audit, and recovery workflows
  • Flag etcd clusters exposing the gRPC API to untrusted or partially trusted clients with etcd auth enabled but running versions prior to 3.4.42, 3.5.28, or 3.6.9
  • ·The vulnerability only applies when etcd's built-in authentication is enabled; treat the affected RPCs (MemberList, Alarm, Lease, Compact) as unauthenticated in practice if patching is not immediately possible, and restrict network access to etcd server ports to trusted components only
  • ·Multiple Red Hat product packages are confirmed affected, including openshift4/ose-etcd-rhel9, openshift-gitops argocd images, Red Hat OpenStack Platform etcd packages, and others — check Red Hat advisory for full package list

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.