{"id":"BIT-etcd-2026-44283","summary":"etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks","details":"etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.","aliases":["CVE-2026-44283","GHSA-x35m-3gp4-4fh5"],"modified":"2026-05-18T08:11:04.263879936Z","published":"2026-05-18T05:39:24.166Z","database_specific":{"cpes":["cpe:2.3:a:etcd:etcd:*:*:*:*:*:go:*:*"],"severity":"Medium"},"references":[{"type":"WEB","url":"https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44283"}],"affected":[{"package":{"name":"etcd","ecosystem":"Bitnami","purl":"pkg:bitnami/etcd"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.4.44"},{"introduced":"3.5.0"},{"fixed":"3.5.30"},{"introduced":"3.6.0"},{"fixed":"3.6.11"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/etcd/BIT-etcd-2026-44283.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}],"schema_version":"1.7.5"}