GHSA-RFX7-8W68-Q57Q
Vulnerability from github – Published: 2026-03-20 20:34 – Updated: 2026-03-27 20:48
VLAI?
Summary
etcd: Nested etcd transactions bypass RBAC authorization checks
Details
Impact
What kind of vulnerability is it? Who is impacted?
An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability is patched in the following versions:
- etcd 3.6.9
- etcd 3.5.28
- etcd 3.4.42
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.
- restrict network access to etcd server ports so only trusted components can connect
- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution
Reporters
Our community helps keep etcd secure
SIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.
Severity ?
0.0 (None)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.8"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0-alpha.0"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.27"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0-alpha.0"
},
{
"fixed": "3.5.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.41"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33343"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:34:44Z",
"nvd_published_at": "2026-03-26T14:16:13Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAn authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. \n \nKubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis vulnerability is patched in the following versions:\n\n* etcd 3.6.9\n* etcd 3.5.28\n* etcd 3.4.42\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nIf upgrading is not immediately possible, reduce exposure by treating the affected\nRPCs as unauthenticated in practice.\n\n* restrict network access to etcd server ports so only trusted components can connect\n* require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate\ndistribution\n\n### Reporters\n_Our community helps keep etcd secure_\n\nSIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.",
"id": "GHSA-rfx7-8w68-q57q",
"modified": "2026-03-27T20:48:19Z",
"published": "2026-03-20T20:34:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33343"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "etcd: Nested etcd transactions bypass RBAC authorization checks"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…