Description
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access and potential data tampering and service disruption
Action: Apply Patch
AI Analysis

Impact

A vulnerability in etcd allows an unauthorized user to bypass authentication or authorization checks on the gRPC API before version 3.4.42, 3.5.28, and 3.6.9. By calling MemberList, an adversary can discover cluster topology, including member IDs and advertised endpoints, thereby gaining a complete view of the distributed system. The attacker can also invoke Alarm to disrupt operations, use Lease APIs to interfere with TTL‑based keys and lease ownership, and trigger compaction to permanently erase historical revisions, thereby affecting audit and recovery workflows. These actions compromise confidentiality, integrity, and availability of the cluster storage, potentially enabling further attacks on applications relying on etcd.

Affected Systems

etcd‑io’s etcd distributed key‑value store versions 3.4.x prior to 3.4.42, 3.5.x prior to 3.5.28, and 3.6.x prior to 3.6.9 are affected when authentication is enabled but the gRPC API is exposed to untrusted or partially trusted clients. Typical Kubernetes deployments are not impacted because Kubernetes performs authentication and authorization at the API server level, not within etcd.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the vulnerability is exploitable over the network via the gRPC interface. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the attack vector is inferred to be remote access to the etcd server ports. An attacker with network connectivity to the exposed API can exploit the authorization bypass, gaining full cluster read or modify capabilities without valid credentials.

Generated by OpenCVE AI on March 27, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade etcd to 3.4.42, 3.5.28, 3.6.9, or any newer release that contains the patch
  • If upgrading is delayed, restrict network access to etcd server ports using firewalls, VPNs, or container network policies so only trusted components can reach the API
  • Enforce strong transport‑layer security, such as mutual TLS with tightly scoped client certificates, to prevent unauthenticated connections
  • Treat the affected RPCs (MemberList, Alarm, Lease APIs, compaction) as unauthenticated in practice, monitor for suspicious usage, and apply additional application‑level controls if necessary
  • Verify that etcd authentication is correctly configured and that the cluster is not exposed to untrusted clients

Generated by OpenCVE AI on March 27, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q8m4-xhhv-38mg etcd: Authorization bypasses in multiple APIs
History

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Etcd
Etcd etcd
CPEs cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*
Vendors & Products Etcd
Etcd etcd
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Title etcd: Authorization bypasses in multiple APIs
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Etcd Etcd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:51:42.935Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33413

cve-icon Vulnrichment

Updated: 2026-03-26T18:51:39.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T14:16:13.490

Modified: 2026-03-26T20:39:29.473

Link: CVE-2026-33413

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T13:36:10Z

Links: CVE-2026-33413 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:43Z

Weaknesses