What is the CVSS score of CVE-2026-33343?

CVE-2026-33343 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N. EPSS exploitation probability: 1.0%.

Which versions of Kubernetes are affected by CVE-2026-33343?

Organizations using _What kind of vulnerability should be aware of moderate risk from CVE-2026-33343, a incorrect authorization vulnerability rated CVSS 5.9.. A patch is available.

Kubernetes CVE-2026-33343

EUVD-2026-14016 MEDIUM

Incorrect Authorization (CWE-863)

2026-03-20 https://github.com/etcd-io/etcd

GHSA-ghq8-9c7r-622r

GHSA-hh8v-hgvp-g3f5

GHSA-jp2q-39xq-3w4g

GHSA-ph8x-4jfv-v9v8

GHSA-rfx7-8w68-q57q

Authentication Bypass Kubernetes Red Hat Suse

5.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 20, 2026 - 20:46 euvd

EUVD-2026-14016

Analysis Generated

Mar 20, 2026 - 20:46 vuln.today

CVE Published

Mar 20, 2026 - 20:34 nvd

MEDIUM 5.9

DescriptionNVD

Impact

_What kind of vulnerability is it? Who is impacted?_

An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

_Has the problem been patched? What versions should users upgrade to?_

This vulnerability is patched in the following versions:

etcd 3.6.9
etcd 3.5.28
etcd 3.4.42

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.

restrict network access to etcd server ports so only trusted components can connect
require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate

distribution

Reporters

_Our community helps keep etcd secure_

SIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.

AnalysisAI

An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory