CVE-2026-33413

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33413
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33413.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33413
Aliases
Downstream
Related
Published
2026-03-26T13:36:10.919Z
Modified
2026-04-17T09:14:28.760702378Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
etcd: Authorization bypasses in multiple APIs
Details

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33413.json",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/etcd-io/etcd

Affected ranges

Type
GIT
Repo
https://github.com/etcd-io/etcd
Events
Introduced
fb559105006337157635673f216c2f1392050f83
Fixed
85651fa521731aaecad76ff81dee5450a766c874
Database specific 
{
    "versions": [
        {
            "introduced": "3.6.0-alpha.0"
        },
        {
            "fixed": "3.6.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/etcd-io/etcd
Events
Introduced
60d5159091ab06e80ad446ce9e4f415e5f53439e
Fixed
f22ac30e2b38595d6f5b12a068707c6bfcbb2517
Database specific 
{
    "versions": [
        {
            "introduced": "3.5.0-alpha.0"
        },
        {
            "fixed": "3.5.28"
        }
    ]
}
Type
GIT
Repo
https://github.com/etcd-io/etcd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
89dc59aa1c7cc458aae18876a4866d29600bc07a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.42"
        }
    ]
}

Affected versions

Other
0
api/v3.*
api/v3.5.0
api/v3.5.0-alpha.0
api/v3.5.0-beta.2
api/v3.5.0-beta.3
api/v3.5.0-beta.4
api/v3.5.0-rc.0
api/v3.5.0-rc.1
api/v3.5.1
api/v3.5.10
api/v3.5.11
api/v3.5.12
api/v3.5.13
api/v3.5.14
api/v3.5.15
api/v3.5.16
api/v3.5.17
api/v3.5.18
api/v3.5.19
api/v3.5.2
api/v3.5.20
api/v3.5.21
api/v3.5.22
api/v3.5.23
api/v3.5.24
api/v3.5.25
api/v3.5.26
api/v3.5.27
api/v3.5.3
api/v3.5.4
api/v3.5.5
api/v3.5.6
api/v3.5.7
api/v3.5.8
api/v3.5.9
api/v3.6.0
api/v3.6.0-alpha.0
api/v3.6.0-rc.0
api/v3.6.0-rc.1
api/v3.6.0-rc.2
api/v3.6.0-rc.3
api/v3.6.0-rc.4
api/v3.6.0-rc.5
api/v3.6.1
api/v3.6.2
api/v3.6.3
api/v3.6.4
api/v3.6.5
api/v3.6.6
api/v3.6.7
api/v3.6.8
client/pkg/v3.*
client/pkg/v3.5.0
client/pkg/v3.5.0-beta.2
client/pkg/v3.5.0-beta.3
client/pkg/v3.5.0-beta.4
client/pkg/v3.5.0-rc.0
client/pkg/v3.5.0-rc.1
client/pkg/v3.5.1
client/pkg/v3.5.10
client/pkg/v3.5.11
client/pkg/v3.5.12
client/pkg/v3.5.13
client/pkg/v3.5.14
client/pkg/v3.5.15
client/pkg/v3.5.16
client/pkg/v3.5.17
client/pkg/v3.5.18
client/pkg/v3.5.19
client/pkg/v3.5.2
client/pkg/v3.5.20
client/pkg/v3.5.21
client/pkg/v3.5.22
client/pkg/v3.5.23
client/pkg/v3.5.24
client/pkg/v3.5.25
client/pkg/v3.5.26
client/pkg/v3.5.27
client/pkg/v3.5.3
client/pkg/v3.5.4
client/pkg/v3.5.5
client/pkg/v3.5.6
client/pkg/v3.5.7
client/pkg/v3.5.8
client/pkg/v3.5.9
client/pkg/v3.6.0
client/pkg/v3.6.0-alpha.0
client/pkg/v3.6.0-rc.0
client/pkg/v3.6.0-rc.1
client/pkg/v3.6.0-rc.2
client/pkg/v3.6.0-rc.3
client/pkg/v3.6.0-rc.4
client/pkg/v3.6.0-rc.5
client/pkg/v3.6.1
client/pkg/v3.6.2
client/pkg/v3.6.3
client/pkg/v3.6.4
client/pkg/v3.6.5
client/pkg/v3.6.6
client/pkg/v3.6.7
client/pkg/v3.6.8
client/v2.*
client/v2.305.0
client/v2.305.0-alpha.0
client/v2.305.0-beta.2
client/v2.305.0-beta.3
client/v2.305.0-beta.4
client/v2.305.0-rc.0
client/v2.305.0-rc.1
client/v2.305.1
client/v2.305.10
client/v2.305.11
client/v2.305.12
client/v2.305.13
client/v2.305.14
client/v2.305.15
client/v2.305.16
client/v2.305.17
client/v2.305.18
client/v2.305.19
client/v2.305.2
client/v2.305.20
client/v2.305.21
client/v2.305.22
client/v2.305.23
client/v2.305.24
client/v2.305.25
client/v2.305.26
client/v2.305.27
client/v2.305.3
client/v2.305.4
client/v2.305.5
client/v2.305.6
client/v2.305.7
client/v2.305.8
client/v2.305.9
client/v2.306.0-alpha.0
client/v2.306.0-rc.0
client/v2.306.0-rc.1
client/v2.306.0-rc.2
client/v3.*
client/v3.5.0
client/v3.5.0-alpha.0
client/v3.5.0-beta.2
client/v3.5.0-beta.3
client/v3.5.0-beta.4
client/v3.5.0-rc.0
client/v3.5.0-rc.1
client/v3.5.1
client/v3.5.10
client/v3.5.11
client/v3.5.12
client/v3.5.13
client/v3.5.14
client/v3.5.15
client/v3.5.16
client/v3.5.17
client/v3.5.18
client/v3.5.19
client/v3.5.2
client/v3.5.20
client/v3.5.21
client/v3.5.22
client/v3.5.23
client/v3.5.24
client/v3.5.25
client/v3.5.26
client/v3.5.27
client/v3.5.3
client/v3.5.4
client/v3.5.5
client/v3.5.6
client/v3.5.7
client/v3.5.8
client/v3.5.9
client/v3.6.0
client/v3.6.0-alpha.0
client/v3.6.0-rc.0
client/v3.6.0-rc.1
client/v3.6.0-rc.2
client/v3.6.0-rc.3
client/v3.6.0-rc.4
client/v3.6.0-rc.5
client/v3.6.1
client/v3.6.2
client/v3.6.3
client/v3.6.4
client/v3.6.5
client/v3.6.6
client/v3.6.7
client/v3.6.8
etcdctl/v3.*
etcdctl/v3.5.0
etcdctl/v3.5.0-alpha.0
etcdctl/v3.5.0-beta.2
etcdctl/v3.5.0-beta.3
etcdctl/v3.5.0-beta.4
etcdctl/v3.5.0-rc.0
etcdctl/v3.5.0-rc.1
etcdctl/v3.5.1
etcdctl/v3.5.10
etcdctl/v3.5.11
etcdctl/v3.5.12
etcdctl/v3.5.13
etcdctl/v3.5.14
etcdctl/v3.5.15
etcdctl/v3.5.16
etcdctl/v3.5.17
etcdctl/v3.5.18
etcdctl/v3.5.19
etcdctl/v3.5.2
etcdctl/v3.5.20
etcdctl/v3.5.21
etcdctl/v3.5.22
etcdctl/v3.5.23
etcdctl/v3.5.24
etcdctl/v3.5.25
etcdctl/v3.5.26
etcdctl/v3.5.27
etcdctl/v3.5.3
etcdctl/v3.5.4
etcdctl/v3.5.5
etcdctl/v3.5.6
etcdctl/v3.5.7
etcdctl/v3.5.8
etcdctl/v3.5.9
etcdctl/v3.6.0
etcdctl/v3.6.0-alpha.0
etcdctl/v3.6.0-rc.0
etcdctl/v3.6.0-rc.1
etcdctl/v3.6.0-rc.2
etcdctl/v3.6.0-rc.3
etcdctl/v3.6.0-rc.4
etcdctl/v3.6.0-rc.5
etcdctl/v3.6.1
etcdctl/v3.6.2
etcdctl/v3.6.3
etcdctl/v3.6.4
etcdctl/v3.6.5
etcdctl/v3.6.6
etcdctl/v3.6.7
etcdctl/v3.6.8
etcdutl/v3.*
etcdutl/v3.5.0
etcdutl/v3.5.0-beta.2
etcdutl/v3.5.0-beta.3
etcdutl/v3.5.0-beta.4
etcdutl/v3.5.0-rc.0
etcdutl/v3.5.0-rc.1
etcdutl/v3.5.1
etcdutl/v3.5.10
etcdutl/v3.5.11
etcdutl/v3.5.12
etcdutl/v3.5.13
etcdutl/v3.5.14
etcdutl/v3.5.15
etcdutl/v3.5.16
etcdutl/v3.5.17
etcdutl/v3.5.18
etcdutl/v3.5.19
etcdutl/v3.5.2
etcdutl/v3.5.20
etcdutl/v3.5.21
etcdutl/v3.5.22
etcdutl/v3.5.23
etcdutl/v3.5.24
etcdutl/v3.5.25
etcdutl/v3.5.26
etcdutl/v3.5.27
etcdutl/v3.5.3
etcdutl/v3.5.4
etcdutl/v3.5.5
etcdutl/v3.5.6
etcdutl/v3.5.7
etcdutl/v3.5.8
etcdutl/v3.5.9
etcdutl/v3.6.0
etcdutl/v3.6.0-alpha.0
etcdutl/v3.6.0-rc.0
etcdutl/v3.6.0-rc.1
etcdutl/v3.6.0-rc.2
etcdutl/v3.6.0-rc.3
etcdutl/v3.6.0-rc.4
etcdutl/v3.6.0-rc.5
etcdutl/v3.6.1
etcdutl/v3.6.2
etcdutl/v3.6.3
etcdutl/v3.6.4
etcdutl/v3.6.5
etcdutl/v3.6.6
etcdutl/v3.6.7
etcdutl/v3.6.8
pkg/v3.*
pkg/v3.5.0
pkg/v3.5.0-alpha.0
pkg/v3.5.0-beta.2
pkg/v3.5.0-beta.3
pkg/v3.5.0-beta.4
pkg/v3.5.0-rc.0
pkg/v3.5.0-rc.1
pkg/v3.5.1
pkg/v3.5.10
pkg/v3.5.11
pkg/v3.5.12
pkg/v3.5.13
pkg/v3.5.14
pkg/v3.5.15
pkg/v3.5.16
pkg/v3.5.17
pkg/v3.5.18
pkg/v3.5.19
pkg/v3.5.2
pkg/v3.5.20
pkg/v3.5.21
pkg/v3.5.22
pkg/v3.5.23
pkg/v3.5.24
pkg/v3.5.25
pkg/v3.5.26
pkg/v3.5.27
pkg/v3.5.3
pkg/v3.5.4
pkg/v3.5.5
pkg/v3.5.6
pkg/v3.5.7
pkg/v3.5.8
pkg/v3.5.9
pkg/v3.6.0
pkg/v3.6.0-alpha.0
pkg/v3.6.0-rc.0
pkg/v3.6.0-rc.1
pkg/v3.6.0-rc.2
pkg/v3.6.0-rc.3
pkg/v3.6.0-rc.4
pkg/v3.6.0-rc.5
pkg/v3.6.1
pkg/v3.6.2
pkg/v3.6.3
pkg/v3.6.4
pkg/v3.6.5
pkg/v3.6.6
pkg/v3.6.7
pkg/v3.6.8
raft/v3.*
raft/v3.5.0
raft/v3.5.0-alpha.0
raft/v3.5.0-beta.2
raft/v3.5.0-beta.3
raft/v3.5.0-beta.4
raft/v3.5.0-rc.0
raft/v3.5.0-rc.1
raft/v3.5.1
raft/v3.5.10
raft/v3.5.11
raft/v3.5.12
raft/v3.5.13
raft/v3.5.14
raft/v3.5.15
raft/v3.5.16
raft/v3.5.17
raft/v3.5.18
raft/v3.5.19
raft/v3.5.2
raft/v3.5.20
raft/v3.5.21
raft/v3.5.22
raft/v3.5.23
raft/v3.5.24
raft/v3.5.25
raft/v3.5.26
raft/v3.5.27
raft/v3.5.3
raft/v3.5.4
raft/v3.5.5
raft/v3.5.6
raft/v3.5.7
raft/v3.5.8
raft/v3.5.9
raft/v3.6.0-alpha.0
server/v3.*
server/v3.5.0
server/v3.5.0-alpha.0
server/v3.5.0-beta.2
server/v3.5.0-beta.3
server/v3.5.0-beta.4
server/v3.5.0-rc.0
server/v3.5.0-rc.1
server/v3.5.1
server/v3.5.10
server/v3.5.11
server/v3.5.12
server/v3.5.13
server/v3.5.14
server/v3.5.15
server/v3.5.16
server/v3.5.17
server/v3.5.18
server/v3.5.19
server/v3.5.2
server/v3.5.20
server/v3.5.21
server/v3.5.22
server/v3.5.23
server/v3.5.24
server/v3.5.25
server/v3.5.26
server/v3.5.27
server/v3.5.3
server/v3.5.4
server/v3.5.5
server/v3.5.6
server/v3.5.7
server/v3.5.8
server/v3.5.9
server/v3.6.0
server/v3.6.0-alpha.0
server/v3.6.0-rc.0
server/v3.6.0-rc.1
server/v3.6.0-rc.2
server/v3.6.0-rc.3
server/v3.6.0-rc.4
server/v3.6.0-rc.5
server/v3.6.1
server/v3.6.2
server/v3.6.3
server/v3.6.4
server/v3.6.5
server/v3.6.6
server/v3.6.7
server/v3.6.8
tests/v3.*
tests/v3.5.0
tests/v3.5.0-alpha.0
tests/v3.5.0-beta.2
tests/v3.5.0-beta.3
tests/v3.5.0-beta.4
tests/v3.5.0-rc.0
tests/v3.5.0-rc.1
tests/v3.5.1
tests/v3.5.10
tests/v3.5.11
tests/v3.5.12
tests/v3.5.13
tests/v3.5.14
tests/v3.5.15
tests/v3.5.16
tests/v3.5.17
tests/v3.5.18
tests/v3.5.19
tests/v3.5.2
tests/v3.5.20
tests/v3.5.21
tests/v3.5.22
tests/v3.5.23
tests/v3.5.24
tests/v3.5.25
tests/v3.5.26
tests/v3.5.27
tests/v3.5.3
tests/v3.5.4
tests/v3.5.5
tests/v3.5.6
tests/v3.5.7
tests/v3.5.8
tests/v3.5.9
tests/v3.6.0
tests/v3.6.0-alpha.0
tests/v3.6.0-rc.0
tests/v3.6.0-rc.1
tests/v3.6.0-rc.2
tests/v3.6.0-rc.3
tests/v3.6.0-rc.4
tests/v3.6.0-rc.5
tests/v3.6.1
tests/v3.6.2
tests/v3.6.3
tests/v3.6.4
tests/v3.6.5
tests/v3.6.6
tests/v3.6.7
tests/v3.6.8
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.0-rc1
v0.2.0-rc2
v0.2.0-rc3
v0.2.0-rc4
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.5.0-alpha.0
v0.5.0-alpha.1
v0.5.0-alpha.2
v0.5.0-alpha.3
v0.5.0-alpha.4
v0.5.0-alpha.5
v2.*
v2.0.0
v2.0.0-rc.1
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.1.0-alpha.0
v2.1.0-alpha.1
v2.1.0-rc.0
v2.1.1
v2.2.0
v2.2.0-alpha.0
v2.2.0-alpha.1
v2.2.0-rc.0
v2.3.0
v2.3.0-alpha.0
v2.3.0-alpha.1
v3.*
v3.0.0-beta.0
v3.1.0-alpha.0
v3.1.0-alpha.1
v3.1.0-rc.0
v3.1.0-rc.1
v3.2.0+git
v3.2.0-rc.0
v3.2.0-rc.1
v3.2.0_plus_git
v3.2.10_plus_git
v3.3.0-rc.0
v3.3.9_plus_git
v3.4.0
v3.4.0-rc.0
v3.4.0-rc.1
v3.4.0-rc.2
v3.4.0-rc.3
v3.4.0-rc.4
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.21
v3.4.22
v3.4.23
v3.4.24
v3.4.25
v3.4.26
v3.4.27
v3.4.28
v3.4.29
v3.4.3
v3.4.30
v3.4.31
v3.4.32
v3.4.33
v3.4.34
v3.4.35
v3.4.36
v3.4.37
v3.4.38
v3.4.39
v3.4.4
v3.4.40
v3.4.41
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.5.0
v3.5.0-alpha.0
v3.5.0-beta.0
v3.5.0-beta.1
v3.5.0-beta.2
v3.5.0-beta.3
v3.5.0-beta.4
v3.5.0-rc.0
v3.5.0-rc.1
v3.5.1
v3.5.10
v3.5.11
v3.5.12
v3.5.13
v3.5.14
v3.5.15
v3.5.16
v3.5.17
v3.5.18
v3.5.19
v3.5.2
v3.5.20
v3.5.21
v3.5.22
v3.5.23
v3.5.24
v3.5.25
v3.5.26
v3.5.27
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v3.5.9
v3.6.0
v3.6.0-alpha.0
v3.6.0-rc.0
v3.6.0-rc.1
v3.6.0-rc.2
v3.6.0-rc.3
v3.6.0-rc.4
v3.6.0-rc.5
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33413.json"