DEBIAN-CVE-2026-33343

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33343

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33343.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33343

Upstream

CVE-2026-33343

Published

2026-03-26T14:16:13.137Z

Modified

2026-03-27T10:03:18.736432Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

References

https://security-tracker.debian.org/tracker/CVE-2026-33343

Affected packages

Debian:11 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.25+dfsg-6

3.3.25+dfsg-7

3.3.25+dfsg-8

3.4.23-1

3.4.23-2

3.4.23-3

3.4.23-4

3.4.23-5

3.4.23-6

3.4.30-1

3.4.30-2

3.4.30-3

3.5.5-1

3.5.15-1

3.5.15-2

3.5.15-3

3.5.15-4

3.5.15-5

3.5.15-6

3.5.15-7

3.5.16-1

3.5.16-2

3.5.16-3

3.5.16-4

3.5.16-5

3.5.16-6

3.5.16-7

3.5.16-8

3.5.16-9

3.5.16-10

3.5.22-1

3.5.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33343.json"

Debian:12 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.23-4

3.4.23-5

3.4.23-6

3.4.30-1

3.4.30-2

3.4.30-3

3.5.5-1

3.5.15-1

3.5.15-2

3.5.15-3

3.5.15-4

3.5.15-5

3.5.15-6

3.5.15-7

3.5.16-1

3.5.16-2

3.5.16-3

3.5.16-4

3.5.16-5

3.5.16-6

3.5.16-7

3.5.16-8

3.5.16-9

3.5.16-10

3.5.22-1

3.5.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33343.json"

Debian:13 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.5.16-4

3.5.16-5

3.5.16-6

3.5.16-7

3.5.16-8

3.5.16-9

3.5.16-10

3.5.22-1

3.5.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33343.json"

Debian:14 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.5.16-4

3.5.16-5

3.5.16-6

3.5.16-7

3.5.16-8

3.5.16-9

3.5.16-10

3.5.22-1

3.5.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33343.json"