Main Vulnerability Database Vulnerabilities #VU130102

Improper access control in etcd - CVE-2026-33413

Published: May 5, 2026

Vulnerability identifier: #VU130102

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33413

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: CoreOS

Affected software:
etcd

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authorization checks and invoke restricted etcd API functions.

The vulnerability exists due to improper access control in the gRPC API layer when handling gRPC API requests from untrusted or partially trusted clients. A remote attacker can call MemberList, Alarm, Lease APIs, or trigger compaction to bypass authorization checks and invoke restricted etcd API functions.

The issue is exposed in clusters with etcd auth enabled that expose the gRPC API to untrusted or partially trusted clients.

How to mitigate CVE-2026-33413

Install security update from vendor's website.

Sources

https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

Improper access control in etcd - CVE-2026-33413

Detailed vulnerability description

How to mitigate CVE-2026-33413

Sources

Please verify you're human