Skip to main content

etcd EUVDEUVD-2026-30345

| CVE-2026-44283 LOW
Incorrect Authorization (CWE-863)
2026-05-07 https://github.com/etcd-io/etcd GHSA-x35m-3gp4-4fh5

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 03:45 vuln.today
Analysis Generated
May 07, 2026 - 03:45 vuln.today
CVE Published
May 07, 2026 - 03:21 nvd
LOW

DescriptionCVE.org

Impact

_What kind of vulnerability is it? Who is impacted?_

A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

_Has the problem been patched? What versions should users upgrade to?_

This vulnerability is patched in the following versions:

  • etcd 3.6.11
  • etcd 3.5.30
  • etcd 3.4.44

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.

  • restrict network access to etcd server ports so only trusted components can connect
  • require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate

distribution

Reporters

Samy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks

AnalysisAI

etcd RBAC authorization bypass allows authenticated users to read unauthorized data or attach leases via PrevKv or lease attachment features in transaction Put requests, circumventing role-based access control checks. Affects etcd 3.4.x through 3.6.x before patched versions 3.4.44, 3.5.30, and 3.6.11. While Kubernetes deployments are typically not affected because the API server handles its own authorization, etcd deployments with reliance on etcd's built-in RBAC-particularly those managed directly or used outside Kubernetes-face exposure to privilege escalation and unauthorized data access by already-authenticated users.

Technical ContextAI

etcd is a distributed key-value store commonly used for cluster coordination and configuration management. The vulnerability resides in the transaction processing logic for Put requests, specifically in how RBAC authorization checks are enforced when PrevKv (previous key-value retrieval) or lease attachment features are invoked within transaction operations. CWE-863 (Incorrect Authorization) indicates the root cause: the authorization module fails to validate permissions for nested or feature-specific request parameters within compound operations. The affected Go module is go.etcd.io/etcd/v3. Transaction operations allow multiple key-value modifications in a single atomic request; the vulnerability occurs because RBAC checks do not properly scope to sub-operations that read data (PrevKv) or manipulate resource lifecycles (lease attachment), allowing users with write-only permissions to implicitly perform reads or lease management.

RemediationAI

Upgrade etcd immediately to patched versions: 3.6.11 or later for the 3.6.x branch, 3.5.30 or later for 3.5.x, or 3.4.44 or later for 3.4.x. If immediate upgrade is not possible, implement compensating controls: restrict network access to etcd server ports (default 2379 for client, 2380 for peer) to only trusted application components and exclude untrusted clients entirely; enforce mutual TLS (mTLS) with tightly scoped client certificates where each client certificate is issued with minimal privileges matching its operational role, preventing lateral privilege escalation even if a client is compromised; treat affected RPCs (Put operations with PrevKv or lease attachment within transactions) as unauthenticated in practice by implementing an external authorization gateway that re-validates permissions before reaching etcd. These mitigations reduce but do not eliminate risk; patching is strongly preferred. Reference: https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-30345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy