CVE-2026-33413

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.4.42 etcd versions prior to 3.5.28 etcd versions prior to 3.6.9

Description Unauthorized users may bypass authentication or authorization checks to call specific functions in clusters that expose the gRPC API to untrusted or partially trusted clients. This allows attackers to call MemberList() to learn cluster topology, including member IDs and advertised endpoints, or call Alarm() to cause operational disruption or denial of service. Additionally, attackers can use Lease APIs to interfere with TTL-based keys and lease ownership, or trigger compaction to permanently remove historical revisions, which disrupts watch, audit, and recovery workflows. Typical Kubernetes deployments are not affected as the API server manages authentication and authorization independently.

Recommendations Update to version 3.4.42. Update to version 3.5.28. Update to version 3.6.9. Restrict network access to etcd server ports so only trusted components can connect. Require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.