{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T01:45:22.863","vulnerabilities":[{"cve":{"id":"CVE-2026-33343","sourceIdentifier":"security-advisories@github.com","published":"2026-03-26T14:16:13.137","lastModified":"2026-03-26T20:41:35.243","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."},{"lang":"es","value":"etcd es un almacén distribuido de clave-valor para los datos de un sistema distribuido. Antes de las versiones 3.4.42, 3.5.28 y 3.6.9, un usuario autenticado con permisos RBAC restringidos en rangos de claves puede usar transacciones anidadas para eludir toda la autorización a nivel de clave. Esto permite a cualquier usuario autenticado con acceso directo a etcd ignorar efectivamente todas las restricciones de rango de claves, accediendo a todo el almacén de datos de etcd. Kubernetes no depende de la autenticación y autorización integradas de etcd. En su lugar, el servidor API maneja la autenticación y autorización por sí mismo, por lo que las implementaciones típicas de Kubernetes no se ven afectadas. Las versiones 3.4.42, 3.5.28 y 3.6.9 contienen un parche. Si la actualización no es posible de inmediato, reduzca la exposición tratando los RPC afectados como no autenticados en la práctica. Restrinja el acceso de red a los puertos del servidor etcd para que solo los componentes de confianza puedan conectarse y requiera una identidad de cliente fuerte en la capa de transporte, como mTLS con distribución de certificados de cliente de alcance limitado."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N","baseScore":0.0,"baseSeverity":"NONE","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":0.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*","versionEndExcluding":"3.4.42","matchCriteriaId":"F9D28F29-7668-485E-BE8A-7D74EECA0C86"},{"vulnerable":true,"criteria":"cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5.0","versionEndExcluding":"3.5.28","matchCriteriaId":"5C785A0D-9833-40E8-9BB5-DE51033FE744"},{"vulnerable":true,"criteria":"cpe:2.3:a:etcd:etcd:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6.0","versionEndExcluding":"3.6.9","matchCriteriaId":"A5676998-E142-4BF3-B2CC-9AA1F9AC1946"}]}]}],"references":[{"url":"https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}