CVE-2026-33413

Name
CVE-2026-33413
Description
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= None < 3.4.42
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= 3.5.0 < 3.5.28
cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* etcd >= 3.6.0 < 3.6.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
etcd edge-community 3.6.8-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.8-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.6.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r5 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.18-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r2 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd edge-community 3.5.16-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r8 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r7 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r4 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
etcd 3.23-community 3.6.4-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable