Description
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Published: 2026-03-26
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to entire etcd data store via RBAC bypass
Action: Apply Patch
AI Analysis

Impact

The flaw allows an authenticated user with limited RBAC permissions to nest etcd transactions and bypass all key‑level authorization checks. By crafting a sequence of transactions, the attacker can retrieve any key in the store, effectively ignoring the defined access restrictions. This results in full disclosure of the etcd data, yielding confidentiality loss and potential system compromise.

Affected Systems

The vulnerability is present in etcd‑io's etcd server versions before 3.4.42, 3.5.28, and 3.6.9. Deployment environments that interact directly with etcd using these versions and rely on etcd’s built‑in RBAC are affected. Typical Kubernetes installations, which use the API server for authentication and authorization, are not impacted unless they expose etcd directly to clients.

Risk and Exploitability

The issue is scored with a high exploitation potential: any authenticated etcd client can exploit it without additional privileges. The EPSS score is not available and the vulnerability is not listed in KEV, but the practical risk remains high because the attack surface is the etcd RPC interface. If an attacker obtains valid credentials or compromises a user account that can communicate with etcd, they can perform the nested transaction trick to leak all data. Network exposure to the etcd server further increases exploitability, so limiting access and hardening the transport layer are crucial.

Generated by OpenCVE AI on March 27, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade etcd to at least version 3.4.42, 3.5.28, or 3.6.9 where the issue is fixed.
  • If an upgrade cannot be performed immediately, treat the affected etcd RPCs as unauthenticated and restrict their usage in practice.
  • Restrict network access to etcd server ports so that only trusted components can connect to the server.
  • Enforce strong client identity at the transport layer, such as mTLS with tightly scoped client certificates.
  • Verify that your Kubernetes deployment does not rely on etcd’s built‑in authentication, or audit your environment for direct etcd access.
  • Monitor logs for unusual etcd transaction activity to detect potential abuse.

Generated by OpenCVE AI on March 27, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfx7-8w68-q57q etcd: Nested etcd transactions bypass RBAC authorization checks
History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Etcd
Etcd etcd
CPEs cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*
Vendors & Products Etcd
Etcd etcd

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Title etcd: Nested etcd transactions bypass RBAC authorization checks
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Etcd Etcd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:25:09.851Z

Reserved: 2026-03-18T22:15:11.813Z

Link: CVE-2026-33343

cve-icon Vulnrichment

Updated: 2026-03-26T18:14:37.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T14:16:13.137

Modified: 2026-03-26T20:41:35.243

Link: CVE-2026-33343

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T13:23:48Z

Links: CVE-2026-33343 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:47:34Z

Weaknesses