{"id":"CVE-2026-33413","summary":"etcd: Authorization bypasses in multiple APIs","details":"etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.","aliases":["BIT-etcd-2026-33413","GHSA-q8m4-xhhv-38mg","GO-2026-4806"],"modified":"2026-04-17T09:14:28.760702378Z","published":"2026-03-26T13:36:10.919Z","related":["CGA-rvqf-799h-8h4h","openSUSE-SU-2026:10562-1"],"database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33413.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33413.json"},{"type":"ADVISORY","url":"https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33413"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/etcd-io/etcd","events":[{"introduced":"fb559105006337157635673f216c2f1392050f83"},{"fixed":"85651fa521731aaecad76ff81dee5450a766c874"}],"database_specific":{"versions":[{"introduced":"3.6.0-alpha.0"},{"fixed":"3.6.9"}]}},{"type":"GIT","repo":"https://github.com/etcd-io/etcd","events":[{"introduced":"60d5159091ab06e80ad446ce9e4f415e5f53439e"},{"fixed":"f22ac30e2b38595d6f5b12a068707c6bfcbb2517"}],"database_specific":{"versions":[{"introduced":"3.5.0-alpha.0"},{"fixed":"3.5.28"}]}},{"type":"GIT","repo":"https://github.com/etcd-io/etcd","events":[{"introduced":"0"},{"fixed":"89dc59aa1c7cc458aae18876a4866d29600bc07a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.4.42"}]}}],"versions":["0","api/v3.5.0","api/v3.5.0-alpha.0","api/v3.5.0-beta.2","api/v3.5.0-beta.3","api/v3.5.0-beta.4","api/v3.5.0-rc.0","api/v3.5.0-rc.1","api/v3.5.1","api/v3.5.10","api/v3.5.11","api/v3.5.12","api/v3.5.13","api/v3.5.14","api/v3.5.15","api/v3.5.16","api/v3.5.17","api/v3.5.18","api/v3.5.19","api/v3.5.2","api/v3.5.20","api/v3.5.21","api/v3.5.22","api/v3.5.23","api/v3.5.24","api/v3.5.25","api/v3.5.26","api/v3.5.27","api/v3.5.3","api/v3.5.4","api/v3.5.5","api/v3.5.6","api/v3.5.7","api/v3.5.8","api/v3.5.9","api/v3.6.0","api/v3.6.0-alpha.0","api/v3.6.0-rc.0","api/v3.6.0-rc.1","api/v3.6.0-rc.2","api/v3.6.0-rc.3","api/v3.6.0-rc.4","api/v3.6.0-rc.5","api/v3.6.1","api/v3.6.2","api/v3.6.3","api/v3.6.4","api/v3.6.5","api/v3.6.6","api/v3.6.7","api/v3.6.8","client/pkg/v3.5.0","client/pkg/v3.5.0-beta.2","client/pkg/v3.5.0-beta.3","client/pkg/v3.5.0-beta.4","client/pkg/v3.5.0-rc.0","client/pkg/v3.5.0-rc.1","client/pkg/v3.5.1","client/pkg/v3.5.10","client/pkg/v3.5.11","client/pkg/v3.5.12","client/pkg/v3.5.13","client/pkg/v3.5.14","client/pkg/v3.5.15","client/pkg/v3.5.16","client/pkg/v3.5.17","client/pkg/v3.5.18","client/pkg/v3.5.19","client/pkg/v3.5.2","client/pkg/v3.5.20","client/pkg/v3.5.21","client/pkg/v3.5.22","client/pkg/v3.5.23","client/pkg/v3.5.24","client/pkg/v3.5.25","client/pkg/v3.5.26","client/pkg/v3.5.27","client/pkg/v3.5.3","client/pkg/v3.5.4","client/pkg/v3.5.5","client/pkg/v3.5.6","client/pkg/v3.5.7","client/pkg/v3.5.8","client/pkg/v3.5.9","client/pkg/v3.6.0","client/pkg/v3.6.0-alpha.0","client/pkg/v3.6.0-rc.0","client/pkg/v3.6.0-rc.1","client/pkg/v3.6.0-rc.2","client/pkg/v3.6.0-rc.3","client/pkg/v3.6.0-rc.4","client/pkg/v3.6.0-rc.5","client/pkg/v3.6.1","client/pkg/v3.6.2","client/pkg/v3.6.3","client/pkg/v3.6.4","client/pkg/v3.6.5","client/pkg/v3.6.6","client/pkg/v3.6.7","client/pkg/v3.6.8","client/v2.305.0","client/v2.305.0-alpha.0","client/v2.305.0-beta.2","client/v2.305.0-beta.3","client/v2.305.0-beta.4","client/v2.305.0-rc.0","client/v2.305.0-rc.1","client/v2.305.1","client/v2.305.10","client/v2.305.11","client/v2.305.12","client/v2.305.13","client/v2.305.14","client/v2.305.15","client/v2.305.16","client/v2.305.17","client/v2.305.18","client/v2.305.19","client/v2.305.2","client/v2.305.20","client/v2.305.21","client/v2.305.22","client/v2.305.23","client/v2.305.24","client/v2.305.25","client/v2.305.26","client/v2.305.27","client/v2.305.3","client/v2.305.4","client/v2.305.5","client/v2.305.6","client/v2.305.7","client/v2.305.8","client/v2.305.9","client/v2.306.0-alpha.0","client/v2.306.0-rc.0","client/v2.306.0-rc.1","client/v2.306.0-rc.2","client/v3.5.0","client/v3.5.0-alpha.0","client/v3.5.0-beta.2","client/v3.5.0-beta.3","client/v3.5.0-beta.4","client/v3.5.0-rc.0","client/v3.5.0-rc.1","client/v3.5.1","client/v3.5.10","client/v3.5.11","client/v3.5.12","client/v3.5.13","client/v3.5.14","client/v3.5.15","client/v3.5.16","client/v3.5.17","client/v3.5.18","client/v3.5.19","client/v3.5.2","client/v3.5.20","client/v3.5.21","client/v3.5.22","client/v3.5.23","client/v3.5.24","client/v3.5.25","client/v3.5.26","client/v3.5.27","client/v3.5.3","client/v3.5.4","client/v3.5.5","client/v3.5.6","client/v3.5.7","client/v3.5.8","client/v3.5.9","client/v3.6.0","client/v3.6.0-alpha.0","client/v3.6.0-rc.0","client/v3.6.0-rc.1","client/v3.6.0-rc.2","client/v3.6.0-rc.3","client/v3.6.0-rc.4","client/v3.6.0-rc.5","client/v3.6.1","client/v3.6.2","client/v3.6.3","client/v3.6.4","client/v3.6.5","client/v3.6.6","client/v3.6.7","client/v3.6.8","etcdctl/v3.5.0","etcdctl/v3.5.0-alpha.0","etcdctl/v3.5.0-beta.2","etcdctl/v3.5.0-beta.3","etcdctl/v3.5.0-beta.4","etcdctl/v3.5.0-rc.0","etcdctl/v3.5.0-rc.1","etcdctl/v3.5.1","etcdctl/v3.5.10","etcdctl/v3.5.11","etcdctl/v3.5.12","etcdctl/v3.5.13","etcdctl/v3.5.14","etcdctl/v3.5.15","etcdctl/v3.5.16","etcdctl/v3.5.17","etcdctl/v3.5.18","etcdctl/v3.5.19","etcdctl/v3.5.2","etcdctl/v3.5.20","etcdctl/v3.5.21","etcdctl/v3.5.22","etcdctl/v3.5.23","etcdctl/v3.5.24","etcdctl/v3.5.25","etcdctl/v3.5.26","etcdctl/v3.5.27","etcdctl/v3.5.3","etcdctl/v3.5.4","etcdctl/v3.5.5","etcdctl/v3.5.6","etcdctl/v3.5.7","etcdctl/v3.5.8","etcdctl/v3.5.9","etcdctl/v3.6.0","etcdctl/v3.6.0-alpha.0","etcdctl/v3.6.0-rc.0","etcdctl/v3.6.0-rc.1","etcdctl/v3.6.0-rc.2","etcdctl/v3.6.0-rc.3","etcdctl/v3.6.0-rc.4","etcdctl/v3.6.0-rc.5","etcdctl/v3.6.1","etcdctl/v3.6.2","etcdctl/v3.6.3","etcdctl/v3.6.4","etcdctl/v3.6.5","etcdctl/v3.6.6","etcdctl/v3.6.7","etcdctl/v3.6.8","etcdutl/v3.5.0","etcdutl/v3.5.0-beta.2","etcdutl/v3.5.0-beta.3","etcdutl/v3.5.0-beta.4","etcdutl/v3.5.0-rc.0","etcdutl/v3.5.0-rc.1","etcdutl/v3.5.1","etcdutl/v3.5.10","etcdutl/v3.5.11","etcdutl/v3.5.12","etcdutl/v3.5.13","etcdutl/v3.5.14","etcdutl/v3.5.15","etcdutl/v3.5.16","etcdutl/v3.5.17","etcdutl/v3.5.18","etcdutl/v3.5.19","etcdutl/v3.5.2","etcdutl/v3.5.20","etcdutl/v3.5.21","etcdutl/v3.5.22","etcdutl/v3.5.23","etcdutl/v3.5.24","etcdutl/v3.5.25","etcdutl/v3.5.26","etcdutl/v3.5.27","etcdutl/v3.5.3","etcdutl/v3.5.4","etcdutl/v3.5.5","etcdutl/v3.5.6","etcdutl/v3.5.7","etcdutl/v3.5.8","etcdutl/v3.5.9","etcdutl/v3.6.0","etcdutl/v3.6.0-alpha.0","etcdutl/v3.6.0-rc.0","etcdutl/v3.6.0-rc.1","etcdutl/v3.6.0-rc.2","etcdutl/v3.6.0-rc.3","etcdutl/v3.6.0-rc.4","etcdutl/v3.6.0-rc.5","etcdutl/v3.6.1","etcdutl/v3.6.2","etcdutl/v3.6.3","etcdutl/v3.6.4","etcdutl/v3.6.5","etcdutl/v3.6.6","etcdutl/v3.6.7","etcdutl/v3.6.8","pkg/v3.5.0","pkg/v3.5.0-alpha.0","pkg/v3.5.0-beta.2","pkg/v3.5.0-beta.3","pkg/v3.5.0-beta.4","pkg/v3.5.0-rc.0","pkg/v3.5.0-rc.1","pkg/v3.5.1","pkg/v3.5.10","pkg/v3.5.11","pkg/v3.5.12","pkg/v3.5.13","pkg/v3.5.14","pkg/v3.5.15","pkg/v3.5.16","pkg/v3.5.17","pkg/v3.5.18","pkg/v3.5.19","pkg/v3.5.2","pkg/v3.5.20","pkg/v3.5.21","pkg/v3.5.22","pkg/v3.5.23","pkg/v3.5.24","pkg/v3.5.25","pkg/v3.5.26","pkg/v3.5.27","pkg/v3.5.3","pkg/v3.5.4","pkg/v3.5.5","pkg/v3.5.6","pkg/v3.5.7","pkg/v3.5.8","pkg/v3.5.9","pkg/v3.6.0","pkg/v3.6.0-alpha.0","pkg/v3.6.0-rc.0","pkg/v3.6.0-rc.1","pkg/v3.6.0-rc.2","pkg/v3.6.0-rc.3","pkg/v3.6.0-rc.4","pkg/v3.6.0-rc.5","pkg/v3.6.1","pkg/v3.6.2","pkg/v3.6.3","pkg/v3.6.4","pkg/v3.6.5","pkg/v3.6.6","pkg/v3.6.7","pkg/v3.6.8","raft/v3.5.0","raft/v3.5.0-alpha.0","raft/v3.5.0-beta.2","raft/v3.5.0-beta.3","raft/v3.5.0-beta.4","raft/v3.5.0-rc.0","raft/v3.5.0-rc.1","raft/v3.5.1","raft/v3.5.10","raft/v3.5.11","raft/v3.5.12","raft/v3.5.13","raft/v3.5.14","raft/v3.5.15","raft/v3.5.16","raft/v3.5.17","raft/v3.5.18","raft/v3.5.19","raft/v3.5.2","raft/v3.5.20","raft/v3.5.21","raft/v3.5.22","raft/v3.5.23","raft/v3.5.24","raft/v3.5.25","raft/v3.5.26","raft/v3.5.27","raft/v3.5.3","raft/v3.5.4","raft/v3.5.5","raft/v3.5.6","raft/v3.5.7","raft/v3.5.8","raft/v3.5.9","raft/v3.6.0-alpha.0","server/v3.5.0","server/v3.5.0-alpha.0","server/v3.5.0-beta.2","server/v3.5.0-beta.3","server/v3.5.0-beta.4","server/v3.5.0-rc.0","server/v3.5.0-rc.1","server/v3.5.1","server/v3.5.10","server/v3.5.11","server/v3.5.12","server/v3.5.13","server/v3.5.14","server/v3.5.15","server/v3.5.16","server/v3.5.17","server/v3.5.18","server/v3.5.19","server/v3.5.2","server/v3.5.20","server/v3.5.21","server/v3.5.22","server/v3.5.23","server/v3.5.24","server/v3.5.25","server/v3.5.26","server/v3.5.27","server/v3.5.3","server/v3.5.4","server/v3.5.5","server/v3.5.6","server/v3.5.7","server/v3.5.8","server/v3.5.9","server/v3.6.0","server/v3.6.0-alpha.0","server/v3.6.0-rc.0","server/v3.6.0-rc.1","server/v3.6.0-rc.2","server/v3.6.0-rc.3","server/v3.6.0-rc.4","server/v3.6.0-rc.5","server/v3.6.1","server/v3.6.2","server/v3.6.3","server/v3.6.4","server/v3.6.5","server/v3.6.6","server/v3.6.7","server/v3.6.8","tests/v3.5.0","tests/v3.5.0-alpha.0","tests/v3.5.0-beta.2","tests/v3.5.0-beta.3","tests/v3.5.0-beta.4","tests/v3.5.0-rc.0","tests/v3.5.0-rc.1","tests/v3.5.1","tests/v3.5.10","tests/v3.5.11","tests/v3.5.12","tests/v3.5.13","tests/v3.5.14","tests/v3.5.15","tests/v3.5.16","tests/v3.5.17","tests/v3.5.18","tests/v3.5.19","tests/v3.5.2","tests/v3.5.20","tests/v3.5.21","tests/v3.5.22","tests/v3.5.23","tests/v3.5.24","tests/v3.5.25","tests/v3.5.26","tests/v3.5.27","tests/v3.5.3","tests/v3.5.4","tests/v3.5.5","tests/v3.5.6","tests/v3.5.7","tests/v3.5.8","tests/v3.5.9","tests/v3.6.0","tests/v3.6.0-alpha.0","tests/v3.6.0-rc.0","tests/v3.6.0-rc.1","tests/v3.6.0-rc.2","tests/v3.6.0-rc.3","tests/v3.6.0-rc.4","tests/v3.6.0-rc.5","tests/v3.6.1","tests/v3.6.2","tests/v3.6.3","tests/v3.6.4","tests/v3.6.5","tests/v3.6.6","tests/v3.6.7","tests/v3.6.8","v0.1.0","v0.1.1","v0.1.2","v0.2.0","v0.2.0-rc1","v0.2.0-rc2","v0.2.0-rc3","v0.2.0-rc4","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.5.0-alpha.0","v0.5.0-alpha.1","v0.5.0-alpha.2","v0.5.0-alpha.3","v0.5.0-alpha.4","v0.5.0-alpha.5","v2.0.0","v2.0.0-rc.1","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.1.0","v2.1.0-alpha.0","v2.1.0-alpha.1","v2.1.0-rc.0","v2.1.1","v2.2.0","v2.2.0-alpha.0","v2.2.0-alpha.1","v2.2.0-rc.0","v2.3.0","v2.3.0-alpha.0","v2.3.0-alpha.1","v3.0.0-beta.0","v3.1.0-alpha.0","v3.1.0-alpha.1","v3.1.0-rc.0","v3.1.0-rc.1","v3.2.0+git","v3.2.0-rc.0","v3.2.0-rc.1","v3.2.0_plus_git","v3.2.10_plus_git","v3.3.0-rc.0","v3.3.9_plus_git","v3.4.0","v3.4.0-rc.0","v3.4.0-rc.1","v3.4.0-rc.2","v3.4.0-rc.3","v3.4.0-rc.4","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.35","v3.4.36","v3.4.37","v3.4.38","v3.4.39","v3.4.4","v3.4.40","v3.4.41","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v3.5.0","v3.5.0-alpha.0","v3.5.0-beta.0","v3.5.0-beta.1","v3.5.0-beta.2","v3.5.0-beta.3","v3.5.0-beta.4","v3.5.0-rc.0","v3.5.0-rc.1","v3.5.1","v3.5.10","v3.5.11","v3.5.12","v3.5.13","v3.5.14","v3.5.15","v3.5.16","v3.5.17","v3.5.18","v3.5.19","v3.5.2","v3.5.20","v3.5.21","v3.5.22","v3.5.23","v3.5.24","v3.5.25","v3.5.26","v3.5.27","v3.5.3","v3.5.4","v3.5.5","v3.5.6","v3.5.7","v3.5.8","v3.5.9","v3.6.0","v3.6.0-alpha.0","v3.6.0-rc.0","v3.6.0-rc.1","v3.6.0-rc.2","v3.6.0-rc.3","v3.6.0-rc.4","v3.6.0-rc.5","v3.6.1","v3.6.2","v3.6.3","v3.6.4","v3.6.5","v3.6.6","v3.6.7","v3.6.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33413.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}]}