{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33413", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.171Z", "datePublished": "2026-03-26T13:36:10.919Z", "dateUpdated": "2026-03-26T18:51:42.935Z"}, "containers": {"cna": {"title": "etcd: Authorization bypasses in multiple APIs", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg"}], "affected": [{"vendor": "etcd-io", "product": "etcd", "versions": [{"version": ">= 3.6.0-alpha.0, < 3.6.9", "status": "affected"}, {"version": ">= 3.5.0-alpha.0, < 3.5.28", "status": "affected"}, {"version": "< 3.4.42", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:36:10.919Z"}, "descriptions": [{"lang": "en", "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."}], "source": {"advisory": "GHSA-q8m4-xhhv-38mg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:51:34.624898Z", "id": "CVE-2026-33413", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:51:42.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:51:34.624898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:51:39.898Z"}}], "cna": {"title": "etcd: Authorization bypasses in multiple APIs", "source": {"advisory": "GHSA-q8m4-xhhv-38mg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "etcd-io", "product": "etcd", "versions": [{"status": "affected", "version": ">= 3.6.0-alpha.0, < 3.6.9"}, {"status": "affected", "version": ">= 3.5.0-alpha.0, < 3.5.28"}, {"status": "affected", "version": "< 3.4.42"}]}], "references": [{"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg", "name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T13:36:10.919Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33413", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:51:42.935Z", "dateReserved": "2026-03-19T17:02:34.171Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T13:36:10.919Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9D28F29-7668-485E-BE8A-7D74EECA0C86", "versionEndExcluding": "3.4.42", "vulnerable": true}, {"criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C785A0D-9833-40E8-9BB5-DE51033FE744", "versionEndExcluding": "3.5.28", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5676998-E142-4BF3-B2CC-9AA1F9AC1946", "versionEndExcluding": "3.6.9", "versionStartIncluding": "3.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."}], "id": "CVE-2026-33413", "lastModified": "2026-03-26T20:39:29.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T14:16:13.490", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "etcd: etcd: Authorization bypass allows information disclosure and denial of service", "id": "2451728", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451728"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "status": "draft"}, "cwe": "CWE-306", "details": ["A flaw was found in etcd, a distributed key-value store. Unauthorized users can bypass authentication or authorization checks when the gRPC API is exposed to untrusted clients. This allows them to access sensitive cluster topology information, disrupt operations through alarms, interfere with lease management, and trigger data compaction, leading to permanent data loss and disruption of critical workflows. This vulnerability can result in information disclosure and denial of service."], "name": "CVE-2026-33413", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/platform-operator-bundle", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-baremetal-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-etcd-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhoso-operators/openstack-operator-bundle", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-03-26T13:36:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33413\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33413\nhttps://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg"], "statement": "This flaw in etcd allows unauthorized users to bypass authentication or authorization checks when the gRPC API is exposed to untrusted clients and etcd's built-in authentication is enabled. This can lead to information disclosure and denial of service. Typical Red Hat OpenShift Container Platform and Kubernetes deployments are not affected, as the Kubernetes API server handles authentication and authorization independently of etcd's internal mechanisms.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.0-alpha.0,3.6.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0-alpha.0,3.5.28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.42)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "etcd", "source": "cna", "vendor": "etcd-io"}, "product": "etcd", "vendor": "etcd"}], "analysis": {"en": {"generated_at": "2026-03-27T06:29:55.891708+00:00", "value": {"mitigation_remediation": ["Upgrade etcd to 3.4.42, 3.5.28, 3.6.9, or any newer release that contains the patch", "If upgrading is delayed, restrict network access to etcd server ports using firewalls, VPNs, or container network policies so only trusted components can reach the API", "Enforce strong transport\u2011layer security, such as mutual TLS with tightly scoped client certificates, to prevent unauthenticated connections", "Treat the affected RPCs (MemberList, Alarm, Lease APIs, compaction) as unauthenticated in practice, monitor for suspicious usage, and apply additional application\u2011level controls if necessary", "Verify that etcd authentication is correctly configured and that the cluster is not exposed to untrusted clients"], "summary": {"action": "Apply Patch", "impact": "Unauthorized access and potential data tampering and service disruption"}, "threat_synthesis": {"affected_systems": "etcd\u2011io\u2019s etcd distributed key\u2011value store versions 3.4.x prior to 3.4.42, 3.5.x prior to 3.5.28, and 3.6.x prior to 3.6.9 are affected when authentication is enabled but the gRPC API is exposed to untrusted or partially trusted clients. Typical Kubernetes deployments are not impacted because Kubernetes performs authentication and authorization at the API server level, not within etcd.", "description_and_impact": "A vulnerability in etcd allows an unauthorized user to bypass authentication or authorization checks on the gRPC API before version 3.4.42, 3.5.28, and 3.6.9. By calling MemberList, an adversary can discover cluster topology, including member IDs and advertised endpoints, thereby gaining a complete view of the distributed system. The attacker can also invoke Alarm to disrupt operations, use Lease APIs to interfere with TTL\u2011based keys and lease ownership, and trigger compaction to permanently erase historical revisions, thereby affecting audit and recovery workflows. These actions compromise confidentiality, integrity, and availability of the cluster storage, potentially enabling further attacks on applications relying on etcd.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the vulnerability is exploitable over the network via the gRPC interface. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the attack vector is inferred to be remote access to the etcd server ports. An attacker with network connectivity to the exposed API can exploit the authorization bypass, gaining full cluster read or modify capabilities without valid credentials."}}}}, "created": "2026-03-27T08:34:15.971871+00:00", "updated": "2026-03-27T09:26:43.684929+00:00", "vendors": ["etcd", "etcd$PRODUCT$etcd"]}