CVE-2026-33413
Authentication Bypass in etcd gRPC API Enables Cluster Disruption
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| etcd | etcd | to 3.4.42 (exc) |
| etcd | etcd | From 3.5.0 (inc) to 3.5.28 (exc) |
| etcd | etcd | From 3.6.0 (inc) to 3.6.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to bypass authentication and authorization checks in etcd clusters exposing the gRPC API, potentially leading to unauthorized access to cluster topology information, operational disruption, denial of service, and interference with audit and recovery workflows.
Such unauthorized access and disruption could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data access, integrity, and auditability.
Specifically, the ability to disrupt audit and recovery workflows by triggering unauthorized compaction may hinder the ability to maintain accurate audit trails, a key requirement in many compliance frameworks.
Mitigations such as restricting network access, enforcing strong client identity (e.g., mTLS), and upgrading to patched versions help reduce the risk and support compliance efforts.
Can you explain this vulnerability to me?
CVE-2026-33413 is a vulnerability in the etcd distributed key-value store affecting versions prior to 3.4.42, 3.5.28, and 3.6.9. It allows unauthorized users to bypass authentication and authorization checks when the etcd cluster exposes the gRPC API to untrusted or partially trusted clients and has authentication enabled.
Exploitable functions include MemberList, which reveals cluster topology; Alarm, which can cause operational disruption or denial of service; Lease APIs, which interfere with TTL-based keys and lease ownership; and Compaction, which can permanently remove historical data and disrupt watch, audit, and recovery workflows.
Kubernetes deployments are generally not affected because they handle authentication and authorization at the API server level rather than relying on etcdβs built-in mechanisms.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to gain sensitive information about your etcd cluster topology, disrupt operations, cause denial of service, interfere with key leases, and permanently remove historical data necessary for auditing and recovery.
- Unauthorized retrieval of cluster member IDs and endpoints.
- Operational disruption or denial of service via the Alarm function.
- Interference with TTL-based keys and lease ownership through Lease APIs.
- Permanent removal of historical revisions by triggering compaction, disrupting watch, audit, and recovery workflows.
If your etcd cluster is exposed to untrusted clients and is unpatched, these impacts can compromise the availability, integrity, and confidentiality of your distributed system data.
What immediate steps should I take to mitigate this vulnerability?
If immediate upgrading to patched versions is not possible, you should take the following mitigation steps:
- Treat the affected RPCs as unauthenticated in practice.
- Restrict network access to etcd server ports so only trusted components can connect.
- Require strong client identity at the transport layer, such as mutual TLS (mTLS) with tightly scoped client certificate distribution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to certain etcd gRPC APIs when authentication is enabled but bypassed. Detection involves checking if your etcd cluster exposes the gRPC API to untrusted or partially trusted clients and if unauthorized calls to sensitive functions like MemberList, Alarm, Lease APIs, or Compaction are possible.
To detect potential exploitation or presence of this vulnerability on your system, you can monitor network traffic to etcd server ports for unauthorized gRPC calls or attempt to call these APIs without authentication to verify if access is improperly granted.
Suggested commands or approaches include:
- Use grpcurl or similar gRPC client tools to attempt calling MemberList, Alarm, Lease, or Compaction APIs on the etcd server without authentication to check if access is allowed.
- Monitor network connections to etcd server ports (default 2379) using tools like tcpdump or Wireshark to detect unauthorized or unexpected gRPC traffic.
- Check etcd server logs for unauthorized API calls or authentication bypass attempts.
- Verify your etcd version to ensure it is not older than the patched versions (3.4.42, 3.5.28, 3.6.9).