FKIE_CVE-2026-33343

Vulnerability from fkie_nvd - Published: 2026-03-26 14:16 - Updated: 2026-03-26 20:41
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
References
security-advisories@github.comhttps://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57qMitigation, Vendor Advisory
Impacted products
Vendor Product Version
etcd etcd *
etcd etcd *
etcd etcd *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9D28F29-7668-485E-BE8A-7D74EECA0C86",
              "versionEndExcluding": "3.4.42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C785A0D-9833-40E8-9BB5-DE51033FE744",
              "versionEndExcluding": "3.5.28",
              "versionStartIncluding": "3.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5676998-E142-4BF3-B2CC-9AA1F9AC1946",
              "versionEndExcluding": "3.6.9",
              "versionStartIncluding": "3.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."
    },
    {
      "lang": "es",
      "value": "etcd es un almac\u00e9n distribuido de clave-valor para los datos de un sistema distribuido. Antes de las versiones 3.4.42, 3.5.28 y 3.6.9, un usuario autenticado con permisos RBAC restringidos en rangos de claves puede usar transacciones anidadas para eludir toda la autorizaci\u00f3n a nivel de clave. Esto permite a cualquier usuario autenticado con acceso directo a etcd ignorar efectivamente todas las restricciones de rango de claves, accediendo a todo el almac\u00e9n de datos de etcd. Kubernetes no depende de la autenticaci\u00f3n y autorizaci\u00f3n integradas de etcd. En su lugar, el servidor API maneja la autenticaci\u00f3n y autorizaci\u00f3n por s\u00ed mismo, por lo que las implementaciones t\u00edpicas de Kubernetes no se ven afectadas. Las versiones 3.4.42, 3.5.28 y 3.6.9 contienen un parche. Si la actualizaci\u00f3n no es posible de inmediato, reduzca la exposici\u00f3n tratando los RPC afectados como no autenticados en la pr\u00e1ctica. Restrinja el acceso de red a los puertos del servidor etcd para que solo los componentes de confianza puedan conectarse y requiera una identidad de cliente fuerte en la capa de transporte, como mTLS con distribuci\u00f3n de certificados de cliente de alcance limitado."
    }
  ],
  "id": "CVE-2026-33343",
  "lastModified": "2026-03-26T20:41:35.243",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 0.0,
          "baseSeverity": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 0.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-26T14:16:13.137",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.