Main Vulnerability Database Vulnerabilities #VU130110

Improper access control in etcd - #VU130110

Published: May 5, 2026

Vulnerability identifier: #VU130110

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: etcd-io

Affected software:
etcd

Detailed vulnerability description

The vulnerability allows a remote attacker to attach leases without authorization.

The vulnerability exists due to improper access control in transaction operations when processing Put requests with lease attachment enabled. A remote attacker can send a specially crafted transaction request to attach leases without authorization.

Kubernetes deployments that rely on the API server for authentication and authorization are not affected.

Remediation

Install security update from vendor's website.

Sources

https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5

Improper access control in etcd - #VU130110

Detailed vulnerability description

Remediation

Sources

Please verify you're human