UBUNTU-CVE-2026-33413

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-33413
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33413
Upstream
Published
2026-03-26T14:16:00Z
Modified
2026-04-02T17:31:26Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

References

Affected packages

Ubuntu:16.04:LTS
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@2.2.5+dfsg-1ubuntu1?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.0+dfsg-2
2.2.1+dfsg-1
2.2.2+dfsg-1
2.2.2+dfsg-2
2.2.3+dfsg-1
2.2.5+dfsg-1
2.2.5+dfsg-1ubuntu1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.2.5+dfsg-1ubuntu1",
            "binary_name": "etcd"
        },
        {
            "binary_version": "2.2.5+dfsg-1ubuntu1",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"
Ubuntu:25.10
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@3.5.16-4?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.5.16-4

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.5.16-4",
            "binary_name": "etcd-client"
        },
        {
            "binary_version": "3.5.16-4",
            "binary_name": "etcd-server"
        },
        {
            "binary_version": "3.5.16-4",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"
Ubuntu:Pro:18.04:LTS
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@3.2.17+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.1.0-1
3.2.9+dfsg-2
3.2.9+dfsg-3
3.2.17+dfsg-1
3.2.17+dfsg-1ubuntu0.1~esm1
3.2.17+dfsg-1ubuntu0.1
3.2.17+dfsg-1ubuntu0.1+esm1
3.2.17+dfsg-1ubuntu0.1+esm2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.2.17+dfsg-1ubuntu0.1+esm2",
            "binary_name": "etcd"
        },
        {
            "binary_version": "3.2.17+dfsg-1ubuntu0.1+esm2",
            "binary_name": "etcd-client"
        },
        {
            "binary_version": "3.2.17+dfsg-1ubuntu0.1+esm2",
            "binary_name": "etcd-server"
        },
        {
            "binary_version": "3.2.17+dfsg-1ubuntu0.1+esm2",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"
Ubuntu:Pro:20.04:LTS
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@3.2.26+dfsg-6ubuntu0.2+esm1?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.26+dfsg-3
3.2.26+dfsg-4
3.2.26+dfsg-6
3.2.26+dfsg-6ubuntu0.1
3.2.26+dfsg-6ubuntu0.2
3.2.26+dfsg-6ubuntu0.2+esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.2.26+dfsg-6ubuntu0.2+esm1",
            "binary_name": "etcd"
        },
        {
            "binary_version": "3.2.26+dfsg-6ubuntu0.2+esm1",
            "binary_name": "etcd-client"
        },
        {
            "binary_version": "3.2.26+dfsg-6ubuntu0.2+esm1",
            "binary_name": "etcd-server"
        },
        {
            "binary_version": "3.2.26+dfsg-6ubuntu0.2+esm1",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"
Ubuntu:Pro:22.04:LTS
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@3.3.25+dfsg-7ubuntu0.22.04.2+esm3?arch=source&distro=esm-apps/jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.3.25+dfsg-6
3.3.25+dfsg-7
3.3.25+dfsg-7ubuntu0.22.04.1
3.3.25+dfsg-7ubuntu0.22.04.1+esm1
3.3.25+dfsg-7ubuntu0.22.04.2
3.3.25+dfsg-7ubuntu0.22.04.2+esm1
3.3.25+dfsg-7ubuntu0.22.04.2+esm2
3.3.25+dfsg-7ubuntu0.22.04.2+esm3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.3.25+dfsg-7ubuntu0.22.04.2+esm3",
            "binary_name": "etcd"
        },
        {
            "binary_version": "3.3.25+dfsg-7ubuntu0.22.04.2+esm3",
            "binary_name": "etcd-client"
        },
        {
            "binary_version": "3.3.25+dfsg-7ubuntu0.22.04.2+esm3",
            "binary_name": "etcd-server"
        },
        {
            "binary_version": "3.3.25+dfsg-7ubuntu0.22.04.2+esm3",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"
Ubuntu:Pro:24.04:LTS
etcd

Package

Name
etcd
Purl
pkg:deb/ubuntu/etcd@3.4.30-1ubuntu0.24.04.3+esm2?arch=source&distro=esm-apps/noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.4.23-4ubuntu2
3.4.30-1
3.4.30-1build1
3.4.30-1ubuntu0.24.04.1
3.4.30-1ubuntu0.24.04.2
3.4.30-1ubuntu0.24.04.2+esm1
3.4.30-1ubuntu0.24.04.3
3.4.30-1ubuntu0.24.04.3+esm1
3.4.30-1ubuntu0.24.04.3+esm2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.4.30-1ubuntu0.24.04.3+esm2",
            "binary_name": "etcd-client"
        },
        {
            "binary_version": "3.4.30-1ubuntu0.24.04.3+esm2",
            "binary_name": "etcd-server"
        },
        {
            "binary_version": "3.4.30-1ubuntu0.24.04.3+esm2",
            "binary_name": "golang-etcd-server-dev"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33413.json"