Go modules package
go.etcd.io/etcd
pkg:golang/go.etcd.io/etcd
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44283 | Non | 0.0 | < 3.4.44 | 3.4.44 | May 14, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authe | |
| CVE-2026-33413 | — | <= 3.3.27 | — | Mar 26, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or parti | ||
| CVE-2026-33343 | — | <= 3.3.27 | — | Mar 26, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authent | ||
| CVE-2020-15136 | — | >= 3.4.0-rc.0, < 3.4.10 | 3.4.10 | Aug 6, 2020 | In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the di | ||
| CVE-2020-15114 | — | >= 3.4.0-rc.0, < 3.4.10 | 3.4.10 | Aug 6, 2020 | In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a | ||
| CVE-2020-15106 | — | < 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 | 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that | ||
| CVE-2018-16886 | — | < 0.5.0-alpha.5.0.20190108173120-83c051b701d3 | 0.5.0-alpha.5.0.20190108173120-83c051b701d3 | Jan 14, 2019 | etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid R | ||
| CVE-2018-1099 | — | < 3.4.0 | 3.4.0 | Apr 3, 2018 | DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address). |
- affected < 3.4.44fixed 3.4.44
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authe
- CVE-2026-33413Mar 26, 2026affected <= 3.3.27
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or parti
- CVE-2026-33343Mar 26, 2026affected <= 3.3.27
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authent
- CVE-2020-15136Aug 6, 2020affected >= 3.4.0-rc.0, < 3.4.10fixed 3.4.10
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the di
- CVE-2020-15114Aug 6, 2020affected >= 3.4.0-rc.0, < 3.4.10fixed 3.4.10
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a
- CVE-2020-15106Aug 5, 2020affected < 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4fixed 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that
- CVE-2018-16886Jan 14, 2019affected < 0.5.0-alpha.5.0.20190108173120-83c051b701d3fixed 0.5.0-alpha.5.0.20190108173120-83c051b701d3
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid R
- CVE-2018-1099Apr 3, 2018affected < 3.4.0fixed 3.4.0
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).