AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-q8m4-xhhv-38mg: etcd: Authorization bypasses in multiple APIs

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 20, 2026CVE-2026-33413

Summary

etcd (a distributed key-value store used in systems like Kubernetes) has multiple authorization bypass vulnerabilities that let unauthorized users call sensitive functions like MemberList, Alarm, Lease APIs, and compaction when the gRPC API (a communication protocol for remote procedure calls) is exposed to untrusted clients. These vulnerabilities are patched in etcd versions 3.6.9, 3.5.28, and 3.4.42, and typical Kubernetes deployments are not affected because Kubernetes handles authentication separately.

Solution / Mitigation

Upgrade to etcd 3.6.9, etcd 3.5.28, or etcd 3.4.42. If upgrading is not immediately possible, restrict network access to etcd server ports so only trusted components can connect, and require strong client identity at the transport layer such as mTLS (mutual TLS, where both client and server verify each other's identity) with tightly scoped client certificate distribution.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 20, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrityavailability

Affected Packages

go.etcd.io/etcd@<= 3.3.27go.etcd.io/etcd/v3@<= 3.4.41 (fixed: 3.4.42)go.etcd.io/etcd/v3@>= 3.5.0-alpha.0, <= 3.5.27 (fixed: 3.5.28)go.etcd.io/etcd/v3@>= 3.6.0-alpha.0, <= 3.6.8 (fixed: 3.6.9)

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: March 20, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 75%