SB2026050599 - Multiple vulnerabilities in etcd

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-33343)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass key-level authorization checks.

The vulnerability exists due to improper access control in nested etcd transactions when processing transaction requests. A remote attacker can send crafted nested transactions to bypass key-level authorization checks.

Typical Kubernetes deployments are not affected because Kubernetes does not rely on etcd built-in authentication and authorization.

2) Improper access control (CVE-ID: CVE-2026-33413)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks and invoke restricted etcd API functions.

The vulnerability exists due to improper access control in the gRPC API layer when handling gRPC API requests from untrusted or partially trusted clients. A remote attacker can call MemberList, Alarm, Lease APIs, or trigger compaction to bypass authorization checks and invoke restricted etcd API functions.

The issue is exposed in clusters with etcd auth enabled that expose the gRPC API to untrusted or partially trusted clients.

Remediation

Install update from vendor's website.

References

• https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q
• https://github.com/advisories/GHSA-rfx7-8w68-q57q
• https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg