CVE-2026-33343

Name
CVE-2026-33343
Description
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= None < 3.4.42
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= 3.5.0 < 3.5.28
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= 3.6.0 < 3.6.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
etcd edge-community 3.6.8-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.8-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r5 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r8 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r7 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable