Bug 2451727 (CVE-2026-33343) - CVE-2026-33343 etcd: etcd: Authorization bypass allows information disclosure via nested transactions
Summary: CVE-2026-33343 etcd: etcd: Authorization bypass allows information disclosure...
Keywords:
Status: NEW
Alias: CVE-2026-33343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452160 2452161
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-26 14:03 UTC by OSIDB Bzimport
Modified: 2026-03-27 07:54 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-26 14:03:21 UTC 
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
Note You need to log in before you can comment on or make changes to this bug.