[Security Advisories] CVE-2026-33413 and CVE-2026-33343: some etcd operations bypass authorization checks

[Ivan Valdes Castillo]

Hello etcd community,

Two security vulnerabilities were discovered in etcd, allowing some operations to bypass authorization checks.

Both vulnerabilities have been rated Moderate.with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N, and assigned CVE-2026-33413 and CVE-2026-33343 respectively.

Am I vulnerable?

If you enable etcd auth, you may be vulnerable.

Affected Versions

• etcd: <= v3.4.41
• etcd: <= v3.5.27
• etcd: <= v3.6.8

How do I mitigate this vulnerability?

These vulnerabilities can be mitigated by:

• Restricting network access to the etcd server ports to only trusted components.
• Requiring a strong client identity at the transport layer, such as a tightly scoped mTLS client certificate.

Fixed Versions

• etcd: v3.4.42
• etcd: v3.5.28
• etcd: v3.6.9

All of them were released on March 20th, 2026.

Additional note

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Acknowledgements

The vulnerability covered in CVE-2026-33413 was reported by Isaac David from bugbunny.ai, Asim Viladi Oglu Manizada, Alex Schapiro & Ahmed Allam from Strix security (strix.ai), Luke Francis, and @OLU-DEVX

The vulnerability covered in CVE-2026-33343 was reported by Luke Francis and Battulga Byambaa.