CVE-2026-33343 | etcd: Nested etcd transactions bypass RBAC authorization checks

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Published: 2026-03-26 Last update: 2026-03-26 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2026-33343 is rated Low Risk (8.1/100): low exploitation likelihood (EPSS 0.03%). Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-33343

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-27 0.03%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-33343

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
0.0 3.1 NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 0.0 [email protected]
6.5 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 2.8 3.6 [email protected]

Weakness enumeration for CVE-2026-33343

GitHub Security Advisory for CVE-2026-33343

GHSA-rfx7-8w68-q57q · Severity: low · Ecosystem: go — etcd: Nested etcd transactions bypass RBAC authorization checks

OS Trackers for CVE-2026-33343

vendor priority summary link
alpine CVE-2026-33343: 1 source package rows (etcd); 22 state rows across 2 repos (3.23-community, edge-community); fixed 0, open 22. https://security.alpinelinux.org/vuln/CVE-2026-33343
debian not yet assigned CVE-2026-33343 not yet assigned priority: Debian including 1 source packages (etcd), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. https://security-tracker.debian.org/tracker/CVE-2026-33343
redhat medium https://access.redhat.com/security/cve/CVE-2026-33343
suse high CVE-2026-33343 severity important: SUSE including 89 source package names (docker, docker-bash-completion, …), 351 product×package rows across 27 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (27 product lines)): Known Not Affected 351. https://www.suse.com/security/cve/CVE-2026-33343/
ubuntu medium CVE-2026-33343 medium priority: Ubuntu including 1 source packages (etcd), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. https://ubuntu.com/security/CVE-2026-33343

Affected software / configurations for CVE-2026-33343

Vendor Product Version Raw CPE
etcd etcd < 3.4.42 cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*
etcd etcd >= 3.5.0, < 3.5.28 cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*
etcd etcd >= 3.6.0, < 3.6.9 cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*

References for CVE-2026-33343

cvelogic Threat Intelligence