CVE-2026-44283 - Vulnerability Details

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Published: 2026-05-14

Score: 0 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in etcd allows an authenticated user to read data or attach leases through transaction operations that use PrevKv or lease attachment features. Because the authorization checks are bypassed, a user without sufficient read or lease permissions can access or manipulate data they should not be able to reach. The vulnerability represents an authorization bypass and can lead to exposure of sensitive information or improper lease management.

Affected Systems

The issue affects etcd-io:etcd versions prior to 3.4.44, 3.5.30, and 3.6.11. Users running any of those releases without the fix have the flaw exposed. Production clusters that rely on etcd for configuration or data storage and lack the newest supported release are at risk.

Risk and Exploitability

The risk is high because the flaw permits unauthorized data read or lease attachment, effectively elevating privileges within the etcd data store. The EPSS score is not available, indicating no quantifiable data on exploitation probability, and the vulnerability is not listed in CISA KEV. Attackers would need authenticated access to the cluster and would exploit transaction API calls containing PrevKv or lease features, which are commonly used in advanced cluster operations. Given the severity of the bypass and the lack of mitigation in older releases, the overall threat is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

etcd-io

etcd

affected

Version	Status	Constraints
`< 3.4.44`	affected	—
`>= 3.5.0, <= 3.5.29`	affected	—
`>= 3.6.0, <= 3.6.10`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:etcd:etcd::::::::
	cpe:2.3:a:etcd:etcd::::::::
	cpe:2.3:a:etcd:etcd::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade etcd to v3.4.44, v3.5.30, v3.6.11 or a later release that contains the fix
If an upgrade is not immediately possible, restrict or block transaction operations that include PrevKv or lease attachment, or limit them to roles with full permissions
Review and tighten RBAC policies to ensure users have only the read or lease permissions they truly need and remove excessive privileges

Generated by OpenCVE AI on May 14, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-x35m-3gp4-4fh5	etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5

History

Fri, 15 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Etcd Etcd etcd
CPEs		cpe:2.3:a:etcd:etcd::::::::
Vendors & Products		Etcd Etcd etcd

Thu, 14 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.
Title		etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks
Weaknesses		CWE-863
References		https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
Metrics		cvssV3_1 `{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}`

Subscriptions

Etcd Etcd

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T17:01:33.598Z

Updated: 2026-05-14T17:01:33.598Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44283

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-14T18:16:49.650

Modified: 2026-05-15T18:24:59.527

Link: CVE-2026-44283

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T18:30:26Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object