CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Impact
_What kind of vulnerability is it? Who is impacted?_
A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
Patches
_Has the problem been patched? What versions should users upgrade to?_
This vulnerability is patched in the following versions:
- etcd 3.6.11
- etcd 3.5.30
- etcd 3.4.44
Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.
- restrict network access to etcd server ports so only trusted components can connect
- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate
distribution
Reporters
Samy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks
AnalysisAI
etcd RBAC authorization bypass allows authenticated users to read unauthorized data or attach leases via PrevKv or lease attachment features in transaction Put requests, circumventing role-based access control checks. Affects etcd 3.4.x through 3.6.x before patched versions 3.4.44, 3.5.30, and 3.6.11. While Kubernetes deployments are typically not affected because the API server handles its own authorization, etcd deployments with reliance on etcd's built-in RBAC-particularly those managed directly or used outside Kubernetes-face exposure to privilege escalation and unauthorized data access by already-authenticated users.
Technical ContextAI
etcd is a distributed key-value store commonly used for cluster coordination and configuration management. The vulnerability resides in the transaction processing logic for Put requests, specifically in how RBAC authorization checks are enforced when PrevKv (previous key-value retrieval) or lease attachment features are invoked within transaction operations. CWE-863 (Incorrect Authorization) indicates the root cause: the authorization module fails to validate permissions for nested or feature-specific request parameters within compound operations. The affected Go module is go.etcd.io/etcd/v3. Transaction operations allow multiple key-value modifications in a single atomic request; the vulnerability occurs because RBAC checks do not properly scope to sub-operations that read data (PrevKv) or manipulate resource lifecycles (lease attachment), allowing users with write-only permissions to implicitly perform reads or lease management.
RemediationAI
Upgrade etcd immediately to patched versions: 3.6.11 or later for the 3.6.x branch, 3.5.30 or later for 3.5.x, or 3.4.44 or later for 3.4.x. If immediate upgrade is not possible, implement compensating controls: restrict network access to etcd server ports (default 2379 for client, 2380 for peer) to only trusted application components and exclude untrusted clients entirely; enforce mutual TLS (mTLS) with tightly scoped client certificates where each client certificate is issued with minimal privileges matching its operational role, preventing lateral privilege escalation even if a client is compromised; treat affected RPCs (Put operations with PrevKv or lease attachment within transactions) as unauthenticated in practice by implementing an external authorization gateway that re-validates permissions before reaching etcd. These mitigations reduce but do not eliminate risk; patching is strongly preferred. Reference: https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30345
GHSA-x35m-3gp4-4fh5