CVE-2026-59818 PUBLISHED

etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation

Assigner: GitHub_M
Reserved: 07.07.2026 Published: 08.07.2026 Updated: 09.07.2026

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 6.5

Product Status

Vendor etcd-io
Product etcd
Versions
  • Version >= 3.6.0-alpha.0, < 3.6.13 is affected
  • Version < 3.5.32 is affected

References

Problem Types

  • CWE-295: Improper Certificate Validation CWE