The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33413

CVE-2026-33413: Etcd Auth Bypass Vulnerability

CVE-2026-33413 is an authentication bypass vulnerability in Etcd that allows unauthorized users to access cluster functions, learn topology, and disrupt operations. This article covers technical details, affected versions, and mitigation.

Published: March 27, 2026

CVE-2026-33413 Overview

CVE-2026-33413 is an authorization bypass vulnerability (CWE-862: Missing Authorization) in etcd, a distributed key-value store commonly used for storing configuration data in distributed systems. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.

Critical Impact

Unauthorized attackers can bypass authentication to enumerate cluster topology, disrupt operations via Alarm API abuse, interfere with TTL-based keys through Lease APIs, and trigger compaction to permanently remove historical revisions—impacting watch, audit, and recovery workflows.

Affected Products

  • etcd versions prior to 3.4.42
  • etcd versions prior to 3.5.28
  • etcd versions prior to 3.6.9

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-33413 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33413

Vulnerability Analysis

This vulnerability stems from missing authorization checks in etcd's gRPC API implementation. When etcd authentication is enabled, certain RPC endpoints fail to properly validate caller permissions, allowing unauthorized users to invoke sensitive functions. The vulnerability is exploitable over the network without requiring any privileges or user interaction, making it particularly dangerous for internet-exposed etcd deployments.

In affected configurations, attackers can perform multiple unauthorized operations including calling MemberList to discover cluster topology (member IDs and advertised endpoints), invoking the Alarm API for operational disruption, manipulating Lease APIs to interfere with TTL-based keys, and triggering compaction operations that permanently remove historical revisions.

It is important to note that typical Kubernetes deployments are not affected by this vulnerability because Kubernetes does not rely on etcd's built-in authentication and authorization. Instead, the Kubernetes API server handles authentication and authorization itself before interacting with etcd.

Root Cause

The root cause is CWE-862: Missing Authorization. Specific gRPC RPC handlers in etcd do not perform adequate authorization checks when etcd authentication is enabled. These affected RPCs—including MemberList, Alarm, Lease-related APIs, and compaction operations—can be invoked by any client with network access to the gRPC endpoint, regardless of their authentication status.

Attack Vector

The attack vector is network-based. An attacker with network access to the etcd gRPC API port (typically port 2379) can send crafted gRPC requests to the vulnerable endpoints. Since the authorization checks are missing, these requests are processed without verifying the caller's identity or permissions.

The vulnerability affects etcd clusters where the gRPC API is exposed to untrusted or partially trusted network segments and etcd's built-in authentication is relied upon for access control. Exploitation does not require any authentication credentials or user interaction.

The attack flow involves an attacker connecting to the exposed etcd gRPC endpoint and invoking sensitive RPCs such as MemberList for reconnaissance, Alarm for denial of service, Lease APIs to disrupt TTL-based workflows, or compaction to destroy historical data needed for audit and recovery purposes.

Detection Methods for CVE-2026-33413

Indicators of Compromise

  • Unusual gRPC requests to MemberList, Alarm, Lease, or Compaction endpoints from unexpected source IPs
  • Increased alarm creation or deletion activity in etcd audit logs
  • Unexpected compaction operations that remove historical revisions
  • Lease manipulation from clients that should not have access to lease management

Detection Strategies

  • Monitor etcd audit logs for unauthorized RPC calls to sensitive endpoints
  • Implement network-level monitoring to detect connections to etcd gRPC ports from untrusted sources
  • Alert on unexpected MemberList queries that could indicate reconnaissance activity
  • Track compaction operations and correlate with authorized maintenance windows

Monitoring Recommendations

  • Enable comprehensive etcd audit logging to capture all RPC invocations
  • Configure network intrusion detection rules to identify anomalous gRPC traffic patterns
  • Implement alerting for any etcd API access from non-whitelisted IP addresses
  • Regularly review etcd cluster membership and lease activity for unauthorized changes

How to Mitigate CVE-2026-33413

Immediate Actions Required

  • Upgrade etcd to version 3.4.42, 3.5.28, or 3.6.9 depending on your version branch
  • Restrict network access to etcd server ports so only trusted components can connect
  • Implement mTLS with tightly scoped client certificate distribution for transport-layer authentication
  • Treat affected RPCs as unauthenticated in practice until patched

Patch Information

Patches are available in etcd versions 3.4.42, 3.5.28, and 3.6.9. These versions address the missing authorization checks in the affected gRPC RPC handlers. Organizations should upgrade to the appropriate patched version for their deployment branch.

For detailed patch information and security advisory, see the GitHub Security Advisory GHSA-q8m4-xhhv-38mg.

Workarounds

  • Restrict network access to etcd gRPC ports (typically 2379) using firewall rules to allow only trusted components
  • Require strong client identity at the transport layer by implementing mTLS with tightly scoped client certificate distribution
  • Deploy etcd behind a network boundary or service mesh that provides additional authentication enforcement
  • Consider using Kubernetes-managed etcd deployments where the API server handles authentication independently
bash
# Example: Restrict etcd access using iptables
# Allow only specific trusted IPs to connect to etcd gRPC port
iptables -A INPUT -p tcp --dport 2379 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2379 -j DROP

# Example: Enable mTLS in etcd configuration
# etcd.conf.yml
# client-transport-security:
#   cert-file: /path/to/server.crt
#   key-file: /path/to/server.key
#   client-cert-auth: true
#   trusted-ca-file: /path/to/ca.crt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechEtcd
  • SeverityHIGH
  • CVSS Score8.8
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-862
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-33343: Etcd Auth Bypass Vulnerability
  • CVE-2021-28235: Etcd Privilege Escalation Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English