CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz

5 min read Original article ↗

CVE-2026-33413
etcd vulnerability analysis and mitigation

Overview

CVE-2026-33413 is an authorization bypass vulnerability (classified as "Authorization bypasses in multiple APIs") in etcd, the distributed key-value store widely used in cloud-native infrastructure. Multiple flaws allow unauthorized users to bypass authentication or authorization checks and invoke certain gRPC API functions in clusters that expose the gRPC API to untrusted or partially trusted clients. Affected versions include etcd ≤3.4.41, ≤3.5.27, and ≤3.6.8. The vulnerability was published on March 20, 2026, with patches released shortly after. It carries a CVSS v3.1 base score of 8.8 (High) (GitHub Advisory, Microsoft MSRC).

Technical details

The root cause is a missing authorization check (CWE-862) at the gRPC API layer in etcd, where certain API endpoints fail to enforce authentication or authorization even when etcd auth is enabled. The flaw is not isolated to a single endpoint but affects multiple APIs — MemberList, Alarm, Lease, and compaction — all sharing the same underlying defect in the gRPC API layer. An attacker with network access to the etcd gRPC port can send unauthenticated or low-privilege gRPC requests to these endpoints without valid credentials. The precondition for exploitation is that the etcd cluster must have auth enabled and the gRPC API must be reachable by untrusted or partially trusted clients; standard Kubernetes deployments are explicitly noted as unaffected because the Kubernetes API server provides its own authentication layer and does not rely on etcd's built-in auth (GitHub Advisory).

Successful exploitation enables unauthorized users to: (1) call MemberList to enumerate cluster topology including member IDs and advertised peer endpoints, facilitating reconnaissance; (2) invoke the Alarm API to trigger operational disruption or denial of service; (3) abuse Lease APIs to interfere with TTL-based key management and lease ownership, potentially causing data inconsistency; and (4) trigger compaction, which permanently removes historical key revisions and disrupts watch operations, audit trails, and disaster recovery workflows. The combination of information disclosure, availability disruption, and potential permanent data loss makes this a high-severity issue for any etcd deployment directly exposing its gRPC API to untrusted networks (GitHub Advisory, Feedly).

Exploitation steps

  1. Reconnaissance: Identify etcd instances with the gRPC API exposed to the network (default port 2379) using tools like Shodan, Censys, or nmap. Confirm the target is running a vulnerable version (≤3.4.41, ≤3.5.27, or ≤3.6.8).
  2. Verify auth is enabled: Attempt a basic unauthenticated gRPC call (e.g., using etcdctl or a gRPC client) to confirm the cluster has auth enabled but is vulnerable to bypass.
  3. Call MemberList without credentials: Send an unauthenticated gRPC MemberList request to enumerate cluster members, their IDs, and advertised peer/client endpoints — enabling further targeting of the cluster.
  4. Abuse Alarm API for DoS: Send unauthenticated Alarm API calls to trigger or manipulate cluster alarms, potentially causing operational disruption or denial of service to legitimate clients.
  5. Manipulate Lease APIs: Issue unauthorized LeaseGrant, LeaseRevoke, or LeaseKeepAlive gRPC calls to interfere with TTL-based key expiration and lease ownership, disrupting applications relying on etcd leases.
  6. Trigger compaction: Send an unauthenticated Compact gRPC request to permanently remove historical key revisions, destroying audit trails, disrupting watch operations, and impairing disaster recovery capabilities (GitHub Advisory).

Indicators of compromise

  • Network: Unexpected gRPC connections to etcd port 2379 (or configured gRPC port) from untrusted or external IP addresses; unauthenticated or anomalous gRPC traffic patterns targeting MemberList, Alarm, Lease, or Compact endpoints.
  • Logs: etcd audit logs showing MemberList, Alarm, LeaseGrant, LeaseRevoke, or Compact API calls from unauthenticated or unexpected clients; repeated access attempts without valid credentials in etcd server logs.
  • Operational Anomalies: Unexpected cluster alarms being set or cleared; TTL-based keys expiring prematurely or leases being revoked without application action; sudden loss of historical key revisions (compaction events not initiated by authorized operators).
  • Watch/Recovery Disruption: Watch streams returning errors or missing events due to unauthorized compaction removing historical revisions; backup or audit tools reporting gaps in revision history.

Mitigation and workarounds

Patches are available in etcd versions 3.4.42, 3.5.28, and 3.6.9 — upgrading to one of these versions is the recommended remediation (GitHub Advisory). Microsoft has also released updates for affected CBL-Mariner and Azure Linux packages (Microsoft MSRC). If immediate upgrade is not possible, apply the following workarounds:

  • Restrict network access: Use firewall rules or network segmentation to ensure only trusted components (e.g., the Kubernetes API server or authorized clients) can reach etcd gRPC ports.
  • Enforce mTLS: Require mutual TLS (mTLS) with tightly scoped client certificate distribution at the transport layer to limit which clients can connect.
  • Treat affected RPCs as unauthenticated: Operationally assume MemberList, Alarm, Lease, and Compact APIs are accessible without auth and restrict access accordingly until patching is complete.
  • Audit access logs: Review etcd logs for unauthorized API calls to the affected endpoints.

Community reactions

The vulnerability received coverage from multiple security news outlets including GBHackers, CyberSecurityNews, CyberPress, and IT Security News, with articles highlighting the risk of unauthorized access to sensitive cluster APIs (GBHackers, CyberSecurityNews). Strix Security published a technical blog post titled "Where Others Missed It: etcd Auth Bypass," authored by researchers Alex Schapiro and Ahmed Allam who were credited in the advisory (Strix Security). The vulnerability was discussed on Hacker News, reflecting community interest in the impact on etcd-backed infrastructure (Hacker News). The Hacker News and The Hacker Wire also covered the issue, and it was included in The Hacker News weekly recap (The Hacker News). OpenSUSE issued security announcements for affected packages, and Greenbone included it in their April 2026 threat report.

Additional resources

SourceThis report was generated using AI

Related etcd vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-39821CRITICAL9.6
  • cAdvisorcAdvisor
  • coredns-1.14
NoYesMay 22, 2026
CVE-2026-33413HIGH8.8
  • etcdetcd
  • etcd
NoYesMar 26, 2026
CVE-2026-33814HIGH7.5
  • cAdvisorcAdvisor
  • envoy-ratelimit-fips
NoYesMay 07, 2026
CVE-2026-29181HIGH7.5
  • cAdvisorcAdvisor
  • juicefs-1.2
NoYesApr 07, 2026
CVE-2026-44283MEDIUM4.3
  • etcdetcd
  • juicefs-1.2
NoYesMay 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo