CVE-2026-44283
Description
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-44283 NameCVE-2026-44283 Descriptionetcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may beโฆ
CVE-2026-44283
| Name | CVE-2026-44283 |
| Description | etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1136829 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| etcd (PTS) | bullseye | 3.3.25+dfsg-6 | vulnerable |
| bookworm | 3.4.23-4 | vulnerable | |
| trixie | 3.5.16-4 | vulnerable | |
| forky | 3.5.16-10 | vulnerable | |
| sid | 3.5.16-11 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| etcd | source | (unstable) | 3.5.16-11 | 1136829 |
Notes
[trixie] - etcd <no-dsa> (Minor issue)
[bookworm] - etcd <no-dsa> (Minor issue)
https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
https://github.com/etcd-io/etcd/pull/21677
https://github.com/etcd-io/etcd/pull/21680
Fixed by: https://github.com/etcd-io/etcd/commit/e8ce1ae41f18a938d0d8ad85dbc034c489e468db (v3.5.30)
Fixed by: https://github.com/etcd-io/etcd/commit/500c535adbb8a5a444bbff9fa34cc1c10addee71 (v3.5.30)
Apply commands
[trixie] - etcd <no-dsa> (Minor issue)[bookworm] - etcd <no-dsa> (Minor issue)https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5https://github.com/etcd-io/etcd/pull/21677https://github.com/etcd-io/etcd/pull/21680Fixed by: https://github.com/etcd-io/etcd/commit/e8ce1ae41f18a938d0d8ad85dbc034c489e468db (v3.5.30)Fixed by: https://github.com/etcd-io/etcd/commit/500c535adbb8a5a444bbff9fa34cc1c10addee71 (v3.5.30)OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Fixed | 3.5.16-11 |
| forky | Affected | โ |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | go.etcd.io/etcd/v3 | >=3.6.0,<3.6.11 | 3.6.11 |
| Go | go.etcd.io/etcd/v3 | >=3.5.0,<3.5.30 | 3.5.30 |
| Go | go.etcd.io/etcd | <3.4.44 | 3.4.44 |
| GO | go.etcd.io/etcd | <= 3.4.43 | 3.4.44 |
| GO | go.etcd.io/etcd/v3 | >= 3.5.0, <= 3.5.29 | 3.5.30 |
| GO | go.etcd.io/etcd/v3 | >= 3.6.0, <= 3.6.10 | 3.6.11 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| etcd | etcd | {"endExcluding":"3.4.44"} | 3.4.44 |
References
- https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
- https://security-tracker.debian.org/tracker/CVE-2026-44283
- https://nvd.nist.gov/vuln/detail/CVE-2026-44283
- https://github.com/etcd-io/etcd
- https://www.suse.com/security/cve/CVE-2026-44283.html
- https://github.com/advisories/GHSA-x35m-3gp4-4fh5
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44283
CWEs
CWE-863
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.