CVE-2026-33343

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

26/03/2026

Last modified:

26/03/2026

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 0.00 NONE
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): None

Base Score 3.x

0.00

Severity 3.x

NONE

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:etcd:etcd::::::::		3.4.42 (excluding)
cpe:2.3:a:etcd:etcd::::::::	3.5.0 (including)	3.5.28 (excluding)
cpe:2.3:a:etcd:etcd::::::::	3.6.0 (including)	3.6.9 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q