CVEFinder.io

CVE-2026-33413

⚠️ high
🔍 Scan for this CVE
Summary

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

CVSS Score
8.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-03-26
First Seen: 2026-03-27
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 81.1% of all 329,778 vulnerabilities in our database.

#62,395
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 26, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-03-26
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-862

📦 Affected Products 3

Vendor Product Status Affected Versions
etcd etcd Affected
< 3.4.42
etcd etcd Affected
> 3.5.0 < 3.5.28
etcd etcd Affected
> 3.6.0 < 3.6.9

🔗 References 1

https://github.com/etcd-io/etcd/security/advisories/...
Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44283 🔶 medium 0.0 0.0 etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulne... 2026-05-14
CVE-2026-33343 🔶 medium 0.0 0.0 etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9,... 2026-03-26
CVE-2022-34038 ⚠️ high 7.5 0.6 Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: t... 2023-08-22
CVE-2023-32082 ℹ️ low 3.1 0.2 etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the Leas... 2023-05-11
CVE-2021-28235 ⛔ critical 9.8 0.5 Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug func... 2023-04-04
CVE-2020-15106 🔶 medium 6.5 0.1 In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is st... 2020-08-05
These CVEs affect the same products