CVEFinder.io

CVE-2026-33343

🔶 medium
🔍 Scan for this CVE
Summary

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the AP

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

CVSS Score
0.0
EPSS Score
0.0
Exploit Probability
Published Date
2026-03-26
First Seen: 2026-03-27
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 0.0% of all 329,778 vulnerabilities in our database.

#329,713
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 26, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-03-26
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CWE IDs (Weakness Types)
CWE-863

📦 Affected Products 3

Vendor Product Status Affected Versions
etcd etcd Affected
< 3.4.42
etcd etcd Affected
> 3.5.0 < 3.5.28
etcd etcd Affected
> 3.6.0 < 3.6.9

🔗 References 1

https://github.com/etcd-io/etcd/security/advisories/...
Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44283 🔶 medium 0.0 0.0 etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulne... 2026-05-14
CVE-2026-33413 ⚠️ high 8.8 0.0 etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9,... 2026-03-26
CVE-2022-34038 ⚠️ high 7.5 0.6 Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: t... 2023-08-22
CVE-2023-32082 ℹ️ low 3.1 0.2 etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the Leas... 2023-05-11
CVE-2021-28235 ⛔ critical 9.8 0.5 Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug func... 2023-04-04
CVE-2020-15106 🔶 medium 6.5 0.1 In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is st... 2020-08-05
These CVEs affect the same products