GHSA-Q8M4-XHHV-38MG
Vulnerability from github – Published: 2026-03-20 20:48 – Updated: 2026-03-27 20:48Impact
What kind of vulnerability is it? Who is impacted?
Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.
In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to:
- call MemberList and learn cluster topology, including member IDs and advertised endpoints
- call Alarm, which can be abused for operational disruption or denial of service
- use Lease APIs, interfering with TTL-based keys and lease ownership
- trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
Patches
Has the problem been patched? What versions should users upgrade to?
These vulnerabilities are patched in the following versions:
- etcd 3.6.9
- etcd 3.5.28
- etcd 3.4.42
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.
- restrict network access to etcd server ports so only trusted components can connect
- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution
Reporters
Community efforts help keep etcd secure
The etcd community thanks Isaac David, bugbunny.ai, Asim Viladi Oglu Manizada, Alex Schapiro & Ahmed Allam from Strix security, Luke Francis, and @OLU-DEVX for reporting these vulnerabilities.
Dependency Between Reported Issues
These issues all originate from the same underlying flaw in the gRPC API layer.
They affect the same API surface and share a common root cause. In practice, the fix is implemented as a single, unified change at the API layer, which resolves all issues together.
Given this, we believe these issues are best treated as a single vulnerability and should be assigned a single CVE.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.8"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0-alpha.0"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.27"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0-alpha.0"
},
{
"fixed": "3.5.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.41"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33413"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:48:14Z",
"nvd_published_at": "2026-03-26T14:16:13Z",
"severity": "HIGH"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nMultiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.\n\nIn unpatched etcd clusters with etcd auth enabled, unauthorized users are able to:\n\n - call MemberList and learn cluster topology, including member IDs and advertised endpoints\n - call Alarm, which can be abused for operational disruption or denial of service\n - use Lease APIs, interfering with TTL-based keys and lease ownership\n - trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows\n\nKubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThese vulnerabilities are patched in the following versions:\n\n* etcd 3.6.9\n* etcd 3.5.28\n* etcd 3.4.42\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nIf upgrading is not immediately possible, reduce exposure by treating the affected \nRPCs as unauthenticated in practice.\n\n- restrict network access to etcd server ports so only trusted components can connect\n- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate\n distribution\n\n### Reporters\n_Community efforts help keep etcd secure_\n\nThe etcd community thanks Isaac David, bugbunny.ai, Asim Viladi Oglu Manizada, Alex Schapiro \u0026 Ahmed Allam from Strix security, Luke Francis, and @OLU-DEVX for reporting these vulnerabilities.\n\n### Dependency Between Reported Issues\n\nThese issues all originate from the same underlying flaw in the gRPC API layer.\n\nThey affect the same API surface and share a common root cause. In practice, the fix is implemented as a single, unified change at the API layer, which resolves all issues together.\n\nGiven this, we believe these issues are best treated as a single vulnerability and should be assigned a single CVE.",
"id": "GHSA-q8m4-xhhv-38mg",
"modified": "2026-03-27T20:48:46Z",
"published": "2026-03-20T20:48:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33413"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "etcd: Authorization bypasses in multiple APIs"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.