CVE-2026-33413 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 26, 2026
etcd - Authentication Bypass & Denial of Service
Published: March 26, 2026Updated: March 26, 2026Remote Exploitable
Overview
etcd < 3.4.42, 3.5.28, and 3.6.9 contains an authentication and authorization bypass caused by exposed gRPC API allowing unauthorized users to call sensitive functions, letting attackers disrupt operations and access cluster topology, exploit requires exposed gRPC API to untrusted clients.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Unauthorized users can disrupt cluster operations, remove historical data, and learn cluster topology, causing denial of service and operational disruption.
Mitigation
Upgrade to versions 3.4.42, 3.5.28, 3.6.9 or later; restrict network access and require strong client identity such as mTLS.
Related Resources
Details
- CVE ID
- CVE-2026-33413
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_authentication
- Status
- confirmed
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H