#1132038 etcd: CVE-2026-33413

Package:
src:etcd
Source:
src:etcd
Submitter:
Salvatore Bonaccorso
Date:
2026-05-31 00:21:03 UTC
Severity:
normal
Tags:
#1132038#5
Date:
2026-03-27 13:27:38 UTC
From:
To:
Hi,

The following vulnerability was published for etcd.

CVE-2026-33413[0]:
| etcd is a distributed key-value store for the data of a distributed
| system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized
| users may bypass authentication or authorization checks and call
| certain etcd functions in clusters that expose the gRPC API to
| untrusted or partially trusted clients. In unpatched etcd clusters
| with etcd auth enabled, unauthorized users are able to call MemberList
| and learn cluster topology, including member IDs and advertised
| endpoints; call Alarm, which can be abused for operational disruption
| or denial of service; use Lease APIs, interfering with TTL-based keys
| and lease ownership; and/or trigger compaction, permanently removing
| historical revisions and disrupting watch, audit, and recovery
| workflows. Kubernetes does not rely on etcd’s built-in
| authentication and authorization. Instead, the API server handles
| authentication and authorization itself, so typical Kubernetes
| deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9
| contain a patch. If upgrading is not immediately possible, reduce
| exposure by treating the affected RPCs as unauthenticated in practice.
| Restrict network access to etcd server ports so only trusted
| components can connect and/or require strong client identity at the
| transport layer, such as mTLS with tightly scoped client certificate
| distribution.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-33413
https://www.cve.org/CVERecord?id=CVE-2026-33413
[1] https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1132038#10
Date:
2026-05-31 00:18:51 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
etcd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated etcd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 18:01:06 -0400
Source: etcd
Architecture: source
Version: 3.5.16-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1132037 1132038 1136829 1137394
Changes:
 etcd (3.5.16-11) unstable; urgency=medium
 .
   * Fix FTBFS with OpenTelemetry 0.60+ (Closes: #1137394)
   * Backport security fixes:
     - CVE-2026-33413: guard unauthenticated endpoints with auth checks
       (Closes: #1132038)
     - CVE-2026-33343: enforce auth checks for nested txn ops
       (Closes: #1132037)
     - CVE-2026-44283: fix PrevKv and Lease auth bypass in Txn
       (Closes: #1136829)
Checksums-Sha1:
 15f0d222a021a737a709b4a741a39e837b2c8020 3996 etcd_3.5.16-11.dsc
 c16608a6525ee31102bba0cdcfdef7fb90513c4f 55108 etcd_3.5.16-11.debian.tar.xz
Checksums-Sha256:
 8bc7d49fd2744d84876f8260367e0b41235b25578c9eebaa5927a725a6950dcb 3996 etcd_3.5.16-11.dsc
 cde8f1f61e8324cfb1afb9a64079c9a23b732d60f03fbcb4cd1b1f44ce4e17b4 55108 etcd_3.5.16-11.debian.tar.xz
Files:
 1695d6e703705e001d5f6ddebd148d26 3996 net optional etcd_3.5.16-11.dsc
 7f18965d9db85b4f108b4c0d5a017512 55108 net optional etcd_3.5.16-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmobeGQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuGcg//YRhfHDShJDr9aBBnxOy+Yx7zSZU8
7tDJ1LmlCtwq1uYY/jKDW9tbWR4Fq/x5HrYAWFe9M7dqSJveu4jb/kX5tmX9LyT4
qUlN20cNV/gFFaemTBRS3VL/84v3MyaHECS/DHebam/7P04fBVs74wbZcqKnPqP/
Fk4ynyZnShKFc9KsT0eplyAUKyyuakmqN0jdb8q1saKINMI2zDhJ+cmdsGo0U0WX
VNlfoj+ieSX8WpXCvGRzgA6pcpBTuMl8Zb1BlIZBmo2SCINDWG4e0PSyNUMblBbv
7fSZDTiEb+2KKBNP94oV5mw9myPlYLCjJLyTjYvn47zORewwgGBhv07p8T7k92fV
namXkk4QKRpOWW7aJ0FeZQzrkrCvl4YY3gh5ZMUL8feBvxfob3IHoFV8xRRuO8oU
+UXwkBnrflNXOunTbLknVP9S9Rk82XF30D4DSSaC7e52FgFRzMIXY0su+VcsYceZ
nn9tajWmNTyMBQKo8iqaW8pESveSkBMsziB5rFZxk/emvDQIrsEHh66k1nlCnG3J
kueZgyy2UwextXNHVOTinS6kbxhaJ5Xx+zz6SV5sGl8vcLmvTqdSEOdnITVF9Qzt
1vQlUbnC24kPOfxIln1iug56WrnOxJO3zIA1NyEPybc5fnSDTgQnA9gX004Ary7x
ceDFu+LMvz64GTk=
=HSfa
-----END PGP SIGNATURE-----