GHSA-x35m-3gp4-4fh5 LOW go/go.etcd.io/etcd/v3

CVE: CVE-2026-44283

Impact

_What kind of vulnerability is it? Who is impacted?_

A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

_Has the problem been patched? What versions should users upgrade to?_

This vulnerability is patched in the following versions:

• etcd 3.6.11
• etcd 3.5.30
• etcd 3.4.44

Workarounds

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

If upgrading is not immediately possible, reduce exposure by treating the affected

RPCs as unauthenticated in practice.

• restrict network access to etcd server ports so only trusted components can connect
• require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate

distribution

Reporters

Samy Ghannad (@SamyGhannad on Github) reported that read access via PrevKv in a Put request within etcd transactions bypassed RBAC authorization checks. Benjamin Wang (@ahrtr ) further analyzed that lease attachment in a Put request within etcd transactions also bypassed RBAC authorization checks

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44283 | 📅 2026-05-07