Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable gRPC port (AV:N); attacker must hold a validly-issued-then-revoked client certificate, so PR:L not PR:N; full read/write to the store gives C:H/I:H, no availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionNVD
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.
AnalysisAI
Certificate revocation bypass in etcd affects clusters running versions before 3.5.32 and before 3.6.13 that are configured with --listen-client-http-urls to serve HTTP and gRPC client traffic on separate listeners. In that split-listener mode the --client-crl-file Certificate Revocation List is silently ignored on the gRPC listener, so a client presenting a certificate the operator has explicitly revoked can still complete mutual-TLS authentication and gain full read/write access to the key-value store. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete conditions drawn from the description: (1) etcd must be started with --listen-client-http-urls so HTTP and gRPC client endpoints run on separate listeners (this is a non-default deployment mode), and (2) --client-crl-file must be configured, meaning the environment relies on a CRL for deauthorization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately conflicting and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A former operator, decommissioned service, or compromised client whose certificate the cluster administrator has already added to the CRL still holds the private key and revoked cert. Against an etcd node running with --listen-client-http-urls, the attacker connects to the gRPC client port and presents the revoked certificate; because the CRL is not checked on that listener, mutual TLS succeeds and the attacker reads or overwrites cluster keys. … |
| Remediation | Vendor-released patch: upgrade to etcd 3.5.32 (for the 3.5.x line) or 3.6.13 (for the 3.6.x line), which add CRL enforcement to the gRPC listener via the new ConfigureCRLVerification hook; see the GitHub Security Advisory GHSA-3wh4-j44w-pg92 and release notes at https://github.com/etcd-io/etcd/releases/tag/v3.5.32 and https://github.com/etcd-io/etcd/releases/tag/v3.6.13. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all etcd deployments using --listen-client-http-urls (split-listener mode) combined with --client-crl-file to determine exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. Rated high severity (CVSS 8.8), this vulnerabilit
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug func
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is low
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery a
etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short pass
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory pa
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV r
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in t
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. Rated medium severity (CVS
etcd is a distributed key-value store for the data of a distributed system. Rated medium severity (CVSS 4.3), this vulne
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42426