CVE-2026-33343: etcd Nested Transactions Bypass RBAC
An authenticated user with restricted key-range permissions can use nested transactions to access the entire etcd data store, bypassing RBAC entirely.
Summary
etcd evaluates transactions recursively. When a transaction’s body contains nested transactions, the inner operations were not re-checked against the caller’s RBAC permissions. An authenticated user with restricted key-range permissions could use a nested transaction to read or modify keys outside their permitted range — the entire data store, in practice.
Discovery
Code review of etcd’s transaction evaluator while looking at the auth surface. The outer call enforced authorization on the keys it touched; inner operations executed under the parent’s authorization context without re-checking.
Impact
- CVSS: 6.5
- Any authenticated user with any key-range permission can escape the range constraint.
Note on Kubernetes
As with CVE-2026-33413, Kubernetes is not affected — the API server enforces authorization above etcd.
Status
Patched in etcd 3.6.9, 3.5.28, 3.4.42. Credited in the SIG-etcd security release.