Description
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.
Published: 2026-07-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

etcd fails to enforce the client certificate revocation list when the '--listen-client-http-urls' flag splits HTTP and gRPC client endpoints onto separate listeners. As a result, a client presenting a revoked certificate can still authenticate over gRPC. This bypass of revocation checks permits an attacker to impersonate a legitimate client, potentially compromising the confidentiality or integrity of etcd data. The flaw is captured by CWE‑295, reflecting a broken authentication mechanism.

Affected Systems

etcd versions earlier than 3.5.32 and 3.6.13 are affected when configured with the split‑listener option. Administrators using etcd‑io’s etcd 3.5.x or 3.6.x releases that employ '--listen-client-http-urls' for separate HTTP and gRPC endpoints are susceptible. All deployments of those versions that expose the gRPC endpoint to potential clients are therefore at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of <1% shows the probability of exploitation remains very low. The vulnerability is not listed in the CISA KEV catalog, suggesting no currently widespread exploitation. However, the attack can be delivered from any network location that can reach the gRPC endpoint, and an attacker only needs a compromised or revoked client certificate to gain access. The fact that revocation is ignored removes a key safety check, making the compromise straightforward for a determined adversary.

Generated by OpenCVE AI on July 9, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade etcd to release 3.5.32 or later, or 3.6.13 or later, where the gRPC listener enforces the client CRL.
  • If an upgrade is not immediately feasible, avoid using '--listen-client-http-urls' to split HTTP and gRPC endpoints, or ensure that the gRPC listener is isolated behind stricter network controls so only trusted hosts can reach it.
  • Implement network segmentation or firewall rules that limit gRPC traffic to authoritative clients, and monitor etcd logs for unsuccessful authentication attempts to detect abuse of revoked certificates.

Generated by OpenCVE AI on July 9, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.
Title etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:13:10.463Z

Reserved: 2026-07-07T15:00:50.978Z

Link: CVE-2026-59818

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-08T21:00:18Z

Links: CVE-2026-59818 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-295

    Improper Certificate Validation