Auth bypass in Etcd-io Etcd

CVE-2026-33343

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-lev…

Vulnerability class: Broken Access Control

EPSS: 0.000 (6.2th percentile) — read the EPSS interpretation.

Affected products

Etcd-io Etcd — versions >= 3.5.0-alpha.0, < 3.5.28, >= 3.6.0-alpha.0, < 3.6.9, < 3.4.42

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q (x_refsource_CONFIRM)