CVE-2026-33343: etcd: Nested etcd transactions bypass RBAC authorization checks

March 20, 2026

What kind of vulnerability is it? Who is impacted?

An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

References

github.com/advisories/GHSA-rfx7-8w68-q57q
github.com/etcd-io/etcd
github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q
nvd.nist.gov/vuln/detail/CVE-2026-33343

Code Behaviors & Features

Detect and mitigate CVE-2026-33343 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →