CVE-2026-33343

NONE

etcd: Nested etcd transactions bypass RBAC authorization checks

Title source: cna

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

References (1)

[X_Refsource_Confirm] https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q

Scores

CVSS v3 0.0

EPSS 0.0001

EPSS Percentile 3.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (6)

etcd/etcd < 3.4.42

etcd/v3 3.6.0-alpha.0 - 3.6.9Go

etcd-io/etcd < 3.4.42

etcd-io/etcd >= 3.5.0-alpha.0, < 3.5.28

etcd-io/etcd >= 3.6.0-alpha.0, < 3.6.9

go.etcd.io/etcd 0Go

Published Mar 26, 2026

Tracked Since Mar 26, 2026