CVE-2026-44283: etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests

What kind of vulnerability is it? Who is impacted?

A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.