None severity0.0GHSA Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-44283
CVE-2026-44283
Description
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.etcd.io/etcd/v3Go | >= 3.6.0, < 3.6.11 | 3.6.11 |
go.etcd.io/etcd/v3Go | >= 3.5.0, < 3.5.30 | 3.5.30 |
go.etcd.io/etcdGo | < 3.4.44 | 3.4.44 |
Affected products
17- osv-coords15 versionspkg:apk/chainguard/juicefs-1.2pkg:apk/chainguard/py3.10-etcdpkg:apk/chainguard/py3.11-etcdpkg:apk/chainguard/py3.12-etcdpkg:apk/chainguard/py3.13-etcdpkg:apk/chainguard/py3-etcdpkg:apk/wolfi/py3.10-etcdpkg:apk/wolfi/py3.11-etcdpkg:apk/wolfi/py3.12-etcdpkg:apk/wolfi/py3.13-etcdpkg:apk/wolfi/py3-etcdpkg:bitnami/etcdpkg:golang/go.etcd.io/etcdpkg:golang/go.etcd.io/etcd/v3pkg:rpm/opensuse/flannel&distro=openSUSE%20Tumbleweed
< 1.2.5-r11+ 14 more
- (no CPE)range: < 1.2.5-r11
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.4.44
- (no CPE)range: < 3.4.44
- (no CPE)range: >= 3.6.0, < 3.6.11
- (no CPE)range: < 0.28.5-1.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-x35m-3gp4-4fh5ghsaADVISORY
- github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44283ghsaADVISORY
News mentions
0No linked articles in our index yet.