CVE-2026-44283
NONE0.0EPSS 0.01%etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests
Description
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This vulnerability is patched in the following versions: - etcd 3.6.11 - etcd 3.5.30 - etcd 3.4.44 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. - restrict network access to etcd server ports so only trusted components can connect - require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution ### Reporters Samy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks
Affected packages (4)
- Bitnami/etcdfrom 0, < 3.4.44, >= 3.5.0, < 3.5.30, >= 3.6.0, < 3.6.11
- Debian/etcdfrom 0
- Go/go.etcd.io/etcdfrom 0, < 3.4.44
- Go/go.etcd.io/etcd/v3>= 3.6.0, < 3.6.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | NONE0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |