CVE-2026-44283

etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks

Assigner: GitHub_M
Reserved: 05.05.2026 Published: 14.05.2026 Updated: 14.05.2026

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS Score: 0

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	etcd-io
Product	etcd
Versions	Version < 3.4.44 is affected Version >= 3.5.0, <= 3.5.29 is affected Version >= 3.6.0, <= 3.6.10 is affected

Vendor

etcd-io

Product

etcd

Versions

Version < 3.4.44 is affected
Version >= 3.5.0, <= 3.5.29 is affected
Version >= 3.6.0, <= 3.6.10 is affected

References

Problem Types

CWE-863: Incorrect Authorization CWE

CVE-2026-44283 PUBLISHED

etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks

Metrics

Product Status

References

Problem Types