CVE-2026-33413: etcd Authorization Bypass Across Multiple APIs
Multiple etcd APIs reachable without authorization: MemberList (cluster topology), Alarm, Lease APIs, and compaction. CVSS 8.8.
Summary
Several etcd APIs did not consult the auth middleware before serving requests. Unauthorized callers could:
- enumerate cluster topology via
MemberList - trigger or clear alarms (operational disruption)
- interact with the Lease APIs, interfering with TTL-based keys
- initiate compaction, permanently removing historical revisions
Discovery
Systematic review of etcd’s auth middleware and gRPC API layer. Cross-referenced every gRPC method against the set of methods that go through authorization, and looked at the gaps.
Impact
- CVSS: 8.8
- An unauthenticated attacker with network reach to the etcd port can exfiltrate cluster topology and disrupt the cluster.
Note on Kubernetes
Kubernetes is not affected. The Kubernetes API server performs authorization itself and does not rely on etcd’s built-in auth.
Status
Patched in etcd 3.6.9, 3.5.28, 3.4.42. Credited in the SIG-etcd security release.