Skip to main content

etcd CVE-2026-59818

| EUVDEUVD-2026-42426 HIGH
Improper Certificate Validation (CWE-295)
2026-07-08 security-advisories@github.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable gRPC port (AV:N); attacker must hold a validly-issued-then-revoked client certificate, so PR:L not PR:N; full read/write to the store gives C:H/I:H, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jul 13, 2026 - 14:59 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 13, 2026 - 14:58 vuln.today
Analysis Updated
Jul 13, 2026 - 14:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 14:52 vuln.today
cvss_changed
Severity Changed
Jul 13, 2026 - 14:52 NVD
MEDIUM HIGH
CVSS changed
Jul 13, 2026 - 14:52 NVD
6.5 (MEDIUM) 8.1 (HIGH)
Analysis Generated
Jul 08, 2026 - 22:26 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionNVD

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.

AnalysisAI

Certificate revocation bypass in etcd affects clusters running versions before 3.5.32 and before 3.6.13 that are configured with --listen-client-http-urls to serve HTTP and gRPC client traffic on separate listeners. In that split-listener mode the --client-crl-file Certificate Revocation List is silently ignored on the gRPC listener, so a client presenting a certificate the operator has explicitly revoked can still complete mutual-TLS authentication and gain full read/write access to the key-value store. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain revoked client certificate
Delivery
Connect to split gRPC client port
Exploit
Present revoked cert in mutual TLS
Execution
CRL check skipped on gRPC listener
Persist
Authenticate successfully
Impact
Read or modify key-value store

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete conditions drawn from the description: (1) etcd must be started with --listen-client-http-urls so HTTP and gRPC client endpoints run on separate listeners (this is a non-default deployment mode), and (2) --client-crl-file must be configured, meaning the environment relies on a CRL for deauthorization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately conflicting and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A former operator, decommissioned service, or compromised client whose certificate the cluster administrator has already added to the CRL still holds the private key and revoked cert. Against an etcd node running with --listen-client-http-urls, the attacker connects to the gRPC client port and presents the revoked certificate; because the CRL is not checked on that listener, mutual TLS succeeds and the attacker reads or overwrites cluster keys. …
Remediation Vendor-released patch: upgrade to etcd 3.5.32 (for the 3.5.x line) or 3.6.13 (for the 3.6.x line), which add CRL enforcement to the gRPC listener via the new ConfigureCRLVerification hook; see the GitHub Security Advisory GHSA-3wh4-j44w-pg92 and release notes at https://github.com/etcd-io/etcd/releases/tag/v3.5.32 and https://github.com/etcd-io/etcd/releases/tag/v3.6.13. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all etcd deployments using --listen-client-http-urls (split-listener mode) combined with --client-crl-file to determine exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Etcd

View all
CVE-2018-1098 HIGH POC
8.8 Apr 03

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. Rated high severity (CVSS 8.8), this vulnerabilit

CVE-2021-28235 CRITICAL
9.8 Apr 04

Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug func

CVE-2018-1099 MEDIUM POC
5.5 Apr 03

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is low

CVE-2020-15114 HIGH
7.7 Aug 06

In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery a

CVE-2020-15115 HIGH
7.5 Aug 06

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short pass

CVE-2020-15113 HIGH
7.1 Aug 05

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory pa

CVE-2020-15136 MEDIUM
6.5 Aug 06

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV r

CVE-2020-15112 MEDIUM
6.5 Aug 05

In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in t

CVE-2020-15106 MEDIUM
6.5 Aug 05

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. Rated medium severity (CVS

CVE-2023-32082 MEDIUM
4.3 May 11

etcd is a distributed key-value store for the data of a distributed system. Rated medium severity (CVSS 4.3), this vulne

Share

CVE-2026-59818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy