CVE-2026-33343

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.4.42 etcd versions prior to 3.5.28 etcd versions prior to 3.6.9

Description An authenticated user with Role-Based Access Control (RBAC) restricted permissions on key ranges can bypass key-level authorization using nested transactions. This allows any authenticated user with direct access to the etcd data store to ignore key range restrictions and access the entire data store. Kubernetes deployments that rely on the API server for authentication and authorization are not affected.

Recommendations Upgrade to etcd version 3.4.42 or later. Upgrade to etcd version 3.5.28 or later. Upgrade to etcd version 3.6.9 or later. If upgrading is not immediately possible, treat the affected Remote Procedure Calls (RPCs) as unauthenticated. Restrict network access to etcd server ports to only trusted components. Require strong client identity at the transport layer, such as mutual Transport Layer Security (mTLS) with tightly scoped client certificate distribution.