Cyber Resilience

CVE-2026-33413

High

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 15.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33413 is a high-severity Missing Authorization (CWE-862) vulnerability in Etcd Etcd. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-33413 is a missing authorization vulnerability (CWE-862) in etcd, a distributed key-value store used for data in distributed systems. It affects etcd versions prior to 3.4.42, 3.5.28, and 3.6.9, where unauthorized users can bypass authentication and authorization checks to call specific functions when the gRPC API is exposed to untrusted or partially trusted clients. The vulnerability enables access to sensitive etcd operations in clusters with etcd authentication enabled, carrying a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Typical Kubernetes deployments are unaffected, as they rely on the Kubernetes API server for authentication and authorization rather than etcd's built-in mechanisms.

Attackers with low privileges (PR:L) who can reach the exposed gRPC API can exploit this to call MemberList and enumerate cluster topology, including member IDs and advertised endpoints; invoke Alarm for operational disruption or denial of service; manipulate Lease APIs to interfere with TTL-based keys and lease ownership; or trigger compaction to permanently delete historical revisions, disrupting watch, audit, and recovery workflows. Exploitation requires network access to etcd ports but no high privileges or user interaction, allowing remote attackers to achieve high confidentiality, integrity, and availability impacts.

Patches are available in etcd versions 3.4.42, 3.5.28, and 3.6.9. For clusters unable to upgrade immediately, mitigations include treating the affected RPCs (MemberList, Alarm, Lease APIs, and compaction) as unauthenticated, restricting network access to etcd server ports to only trusted components, and enforcing strong client identity via transport-layer security such as mTLS with tightly scoped client certificates. Additional details are in the etcd security advisory at https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API…

more

to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1070 Indicator Removal Stealth
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity.
Why these techniques?

Missing authorization in exposed etcd gRPC API directly enables T1190 (public-facing application exploitation), T1018 (MemberList cluster topology discovery), T1485 (compaction-based data destruction), and T1070 (deletion of historical/audit revisions).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68547Shared CWE-862
CVE-2020-36852Shared CWE-862
CVE-2026-32817Shared CWE-862
CVE-2025-22657Shared CWE-862
CVE-2026-25443Shared CWE-862
CVE-2026-4365Shared CWE-862
CVE-2026-4094Shared CWE-862
CVE-2026-27181Shared CWE-862
CVE-2024-12104Shared CWE-862
CVE-2025-70150Shared CWE-862

Affected Assets

etcd
etcd
≤ 3.4.42 · 3.5.0 — 3.5.28 · 3.6.0 — 3.6.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of the etcd authorization bypass flaw through patching to versions 3.4.42, 3.5.28, or 3.6.9.

prevent

Prevents unauthorized access to the exposed etcd gRPC API by restricting network connectivity to only trusted components as recommended in the mitigation guidance.

prevent

Mandates enforcement of approved authorizations to block unauthorized calls to sensitive etcd functions like MemberList, Alarm, Lease APIs, and compaction.

References