May security update release
21 views
Skip to first unread message
Josh Berkus
May 5, 2026, 1:25:18 PM (13 days ago) May 5
to etcd-dev
SIG-etcd released updates
[v3.6.11](https://github.com/etcd-io/etcd/releases/tag/v3.6.11),
[v3.5.30](https://github.com/etcd-io/etcd/releases/tag/v3.5.30), and
[v3.4.44](https://github.com/etcd-io/etcd/releases/tag/v3.4.44) today.
These patch releases fix a vulnerability that allows an authenticated
user to bypass RBAC authorization checks when reading data via `PrevKv`
or attaching leases inside `Put` requests nested in etcd transactions.
In addition, v3.6.11 and v3.5.30 contain a bug fix for an issue that
prevented adding a new member when one member was down, even though
quorum was still satisfied.
This vulnerability does not affect etcd as a part of the Kubernetes
Control Plane. Kubernetes does not rely on etcd's built-in
authentication and authorization; the API server handles authentication
and authorization itself. The issue only affects etcd clusters in other
contexts, specifically ones with Auth enabled where it is required for
access control in untrusted or partially trusted networks or with
untrusted users.
Users depending on etcd Auth in this way should update their clusters
immediately. Other etcd users can update at the next regularly
scheduled maintenance period.
**EOL Notice**: etcd 3.4 is scheduled to be EOL in May 2026. If you are
still using version 3.4, please start planning your upgrade now.
See the blog for complete details:
https://etcd.io/blog/2026/may-patch-release/
--
Josh Berkus
Kubernetes Community Architect
Red Hat Open Source Practice Office
[v3.6.11](https://github.com/etcd-io/etcd/releases/tag/v3.6.11),
[v3.5.30](https://github.com/etcd-io/etcd/releases/tag/v3.5.30), and
[v3.4.44](https://github.com/etcd-io/etcd/releases/tag/v3.4.44) today.
These patch releases fix a vulnerability that allows an authenticated
user to bypass RBAC authorization checks when reading data via `PrevKv`
or attaching leases inside `Put` requests nested in etcd transactions.
In addition, v3.6.11 and v3.5.30 contain a bug fix for an issue that
prevented adding a new member when one member was down, even though
quorum was still satisfied.
This vulnerability does not affect etcd as a part of the Kubernetes
Control Plane. Kubernetes does not rely on etcd's built-in
authentication and authorization; the API server handles authentication
and authorization itself. The issue only affects etcd clusters in other
contexts, specifically ones with Auth enabled where it is required for
access control in untrusted or partially trusted networks or with
untrusted users.
Users depending on etcd Auth in this way should update their clusters
immediately. Other etcd users can update at the next regularly
scheduled maintenance period.
**EOL Notice**: etcd 3.4 is scheduled to be EOL in May 2026. If you are
still using version 3.4, please start planning your upgrade now.
See the blog for complete details:
https://etcd.io/blog/2026/may-patch-release/
--
Josh Berkus
Kubernetes Community Architect
Red Hat Open Source Practice Office
Reply all
Reply to author
Forward
0 new messages