GHSA-q8m4-xhhv-38mg · 深刻度: high · エコシステム: go — etcd: Authorization bypasses in multiple APIs
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
総合評価: CVE-2026-33413 は中リスク(41/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 0.25%、16 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.03% | 0.25% | +0.22% |
| 2 | 2026-05-22 | 0.05% | 0.03% | -0.02% |
| 3 | 2026-04-20 | — | 0.05% | — |
EPSS の全履歴 (全 4 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 8.8 | 4.0 | HIGH |
|
— | — | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
GHSA-q8m4-xhhv-38mg · 深刻度: high · エコシステム: go — etcd: Authorization bypasses in multiple APIs
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-33413: 1 source package rows (etcd); 22 state rows across 2 repos (3.23-community, edge-community); fixed 0, open 22. | https://security.alpinelinux.org/vuln/CVE-2026-33413 |
debian
|
not yet assigned | CVE-2026-33413 not yet assigned priority: Debian including 1 source packages (etcd), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-33413 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-33413 |
suse
|
high | CVE-2026-33413 severity important: SUSE including 85 source package names (docker, docker-bash-completion, …), 340 product×package rows across 27 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (27 product lines)): Known Not Affected 338, Fixed 2. | https://www.suse.com/security/cve/CVE-2026-33413/ |
ubuntu
|
medium | CVE-2026-33413 medium priority: Ubuntu including 1 source packages (etcd), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. | https://ubuntu.com/security/CVE-2026-33413 |
| URL | タグ |
|---|---|
| https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg | Mitigation Vendor Advisory |