CVE-2026-33413
Published: 26 March 2026
Summary
CVE-2026-33413 is a high-severity Missing Authorization (CWE-862) vulnerability in Etcd Etcd. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-33413 is a missing authorization vulnerability (CWE-862) in etcd, a distributed key-value store used for data in distributed systems. It affects etcd versions prior to 3.4.42, 3.5.28, and 3.6.9, where unauthorized users can bypass authentication and authorization checks to call specific functions when the gRPC API is exposed to untrusted or partially trusted clients. The vulnerability enables access to sensitive etcd operations in clusters with etcd authentication enabled, carrying a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Typical Kubernetes deployments are unaffected, as they rely on the Kubernetes API server for authentication and authorization rather than etcd's built-in mechanisms.
Attackers with low privileges (PR:L) who can reach the exposed gRPC API can exploit this to call MemberList and enumerate cluster topology, including member IDs and advertised endpoints; invoke Alarm for operational disruption or denial of service; manipulate Lease APIs to interfere with TTL-based keys and lease ownership; or trigger compaction to permanently delete historical revisions, disrupting watch, audit, and recovery workflows. Exploitation requires network access to etcd ports but no high privileges or user interaction, allowing remote attackers to achieve high confidentiality, integrity, and availability impacts.
Patches are available in etcd versions 3.4.42, 3.5.28, and 3.6.9. For clusters unable to upgrade immediately, mitigations include treating the affected RPCs (MemberList, Alarm, Lease APIs, and compaction) as unauthenticated, restricting network access to etcd server ports to only trusted components, and enforcing strong client identity via transport-layer security such as mTLS with tightly scoped client certificates. Additional details are in the etcd security advisory at https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16191
Vulnerability details
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API…
more
to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in exposed etcd gRPC API directly enables T1190 (public-facing application exploitation), T1018 (MemberList cluster topology discovery), T1485 (compaction-based data destruction), and T1070 (deletion of historical/audit revisions).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of the etcd authorization bypass flaw through patching to versions 3.4.42, 3.5.28, or 3.6.9.
Prevents unauthorized access to the exposed etcd gRPC API by restricting network connectivity to only trusted components as recommended in the mitigation guidance.
Mandates enforcement of approved authorizations to block unauthorized calls to sensitive etcd functions like MemberList, Alarm, Lease APIs, and compaction.