Skip to main content

Kubernetes EUVDEUVD-2026-14016

| CVE-2026-33343 MEDIUM
Incorrect Authorization (CWE-863)
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 20:46 euvd
EUVD-2026-14016
Analysis Generated
Mar 20, 2026 - 20:46 vuln.today
CVE Published
Mar 20, 2026 - 20:34 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Impact

_What kind of vulnerability is it? Who is impacted?_

An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

_Has the problem been patched? What versions should users upgrade to?_

This vulnerability is patched in the following versions:

  • etcd 3.6.9
  • etcd 3.5.28
  • etcd 3.4.42

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.

  • restrict network access to etcd server ports so only trusted components can connect
  • require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate

distribution

Reporters

_Our community helps keep etcd secure_

SIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.

AnalysisAI

An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.

Technical ContextAI

The vulnerability exists in the etcd key-value store (affected CPEs: pkg:go/go.etcd.io_etcd_v3) and is rooted in CWE-863, an authorization bypass vulnerability. The issue stems from improper validation of authorization checks when nested transactions are used within etcd's transaction processing mechanism. Authenticated clients that connect directly to etcd and attempt to access key ranges should have their requests evaluated against configured RBAC policies, but the nested transaction feature allows these authorization controls to be circumvented. The vulnerability affects the RPC layer of etcd, specifically in how transactional operations validate and enforce key-range restrictions that should limit authenticated users' access to subsets of the data store.

RemediationAI

Upgrade etcd immediately to version 3.6.9, 3.5.28, or 3.4.42 (or later) depending on your current release line. The security advisory is available at https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q. If immediate patching is not feasible, implement the following mitigations: restrict network access to etcd server ports (typically 2379 and 2380) to only trusted components and services using firewall rules; enforce mutual TLS (mTLS) authentication at the transport layer with tightly scoped client certificates to limit which identities can connect; and treat the affected authorization RPCs as effectively unauthenticated by implementing access controls at the network layer rather than relying on etcd's RBAC. These workarounds reduce exposure but do not fully eliminate the vulnerability until patching is completed.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-14016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy