Etcd authentication bypass (CVE-2026-33413)

Vendor-confirmed - CVE-2026-33413 is a high authentication bypass in etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 that lets unauthenticated attackers call member list, alarm, lease, and compaction APIs for DoS, data loss, and information disclosure. Immediate patching is critical.

Overview

A significant security vulnerability, tracked as CVE-2026-33413, has been identified in etcd, a critical distributed key-value store used by many systems, including Kubernetes. This flaw is an authentication bypass that affects clusters with etcd’s built-in authentication enabled. Unauthorized users can exploit it to perform unauthorized actions without proper credentials.

Vulnerability Details

In affected versions (prior to 3.4.42, 3.5.28, and 3.6.9), the vulnerability exists in the gRPC API. When this API is exposed to untrusted or partially trusted clients, attackers can bypass authentication and authorization checks to call specific etcd functions. This bypass occurs even when etcd’s own “auth” feature is turned on.

Potential Impact

The impact of successful exploitation is severe and can lead to:

• Information Disclosure: Attackers can call the MemberList function to learn the internal topology of the cluster, including member IDs and network endpoints.
• Operational Disruption: By calling the Alarm function, an attacker can trigger denial-of-service conditions. The Lease APIs can be abused to interfere with time-to-live (TTL) keys and disrupt lease management.
• Data Loss and Recovery Issues: An attacker could trigger a compaction, which permanently removes historical data revisions. This action can break critical workflows that rely on that history, such as watch functions, auditing, and disaster recovery.

Important Note for Kubernetes Users: Standard Kubernetes deployments are NOT affected by this specific flaw. Kubernetes does not use etcd’s built-in authentication; the Kubernetes API server handles all authentication and authorization itself before communicating with etcd.

Remediation and Mitigation

The primary and most effective action is to apply the official patches.

1. Immediate Patching: Upgrade your etcd clusters to the patched versions immediately.

   • Upgrade to version 3.4.42, 3.5.28, or 3.6.9, depending on your release branch.

2. If Patching is Delayed: If you cannot upgrade immediately, implement these network-level mitigations:

   • Restrict Network Access: Ensure etcd server ports are only accessible by explicitly trusted components (like your Kubernetes API servers). Use strict firewall rules and network policies.
   • Enforce Strong Transport Security: Require mutual TLS (mTLS) for all client connections to etcd. Tightly control and scope the distribution of client certificates to prevent unauthorized access.

For organizations assessing their exposure, reviewing recent security news can provide context on similar infrastructure threats, and understanding past incidents via breach reports can highlight the importance of securing foundational services like etcd.

Conclusion

CVE-2026-33413 is a high-risk vulnerability that undermines the security of etcd clusters using its native authentication. Administrators must prioritize patching or implement strict network controls to prevent unauthorized access, operational disruption, and potential data loss.

Update - May 2026

As of mid-May 2026, CVE-2026-33413 remains not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, though continued monitoring is advised given the authentication bypass vector. The Exploit Prediction Scoring System (EPSS) score has increased slightly from 0.00048 to 0.0006 (18th percentile), indicating low but rising exploit interest.

Patches remain available in etcd versions 3.4.42, 3.5.28, and 3.6.9, as originally published. No vendor advisory updates have been released since March 2026.

No related CVEs in the etcd family or similar attack patterns (authentication/authorization bypass in distributed key-value stores) have been disclosed since the original advisory.

No confirmed exploitation in the wild has been reported, and no public proof-of-concept or detection signatures have been observed on major threat intelligence platforms.

Recommended defensive actions:

• Immediately upgrade to the patched versions listed above if not yet applied.
• Monitor etcd audit logs for unusual API calls or unauthorized access attempts that might bypass authentication.
• Review network access controls to ensure etcd endpoints are not exposed to untrusted networks.
• Continue tracking EPSS and KEV updates; reassess prioritization if EPSS surpasses 0.1 or if KEV addition is announced.