etcd, RBAC Authorization Bypass in Transactions (Low)

By /

Listen to this Post

This vulnerability in etcd arises from improper authorization checks when processing transaction operations that contain Put requests with either the `PrevKv` flag or a lease attachment. In a standard scenario, etcd’s RBAC system enforces key‑range permissions for each operation. However, when a `Put` is placed inside a transaction, the RBAC validation logic fails to fully inspect the inner request. Specifically, if the transaction includes `Put` with PrevKv=true, the previous value of the key is returned even if the authenticated user lacks read access to that key. Similarly, a `Put` that attaches a lease inside a transaction is executed without verifying that the user has the necessary lease‑related permissions. An attacker with valid credentials can thus craft a transaction that nests these privileged `Put` operations, bypassing all key‑level restrictions. The gRPC API endpoint responsible for transactions does not recursively enforce RBAC on the constituent operations, creating a path for unauthorized data access or lease hijacking. This flaw affects only clusters where etcd’s built‑in authentication and authorization are enabled and where the gRPC API is exposed to partially trusted clients. Kubernetes control planes are not impacted because they rely on the API server for authentication and do not use etcd’s native RBAC.

dailycve form

Platform: etcd key‑value store
Version: before 3.6.11
Vulnerability : RBAC authorization bypass
Severity: Low
date: May 1 2026

Prediction: Expected May 1 2026

What Undercode Say

Check etcd version
etcd --version
Verify if auth is enabled
etcdctl auth status
List current roles
etcdctl role list
Example transaction that exploits PrevKv bypass
etcdctl txn <<EOF
put "sensitive/key" "value" --prev-kv=true
EOF
Example transaction that exploits lease attachment bypass
etcdctl lease grant 60
etcdctl txn <<EOF
put "any/key" "value" --lease=<LEASE_ID>
EOF
Workaround: restrict network access
iptables -A INPUT -p tcp --dport 2379 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 2379 -j DROP

Exploit

1. Obtain valid credentials for the etcd cluster.

  1. Identify a key for which the user has no read permission.
  2. Send a transaction request containing a `Put` operation with `PrevKv=true` targeting that key.
  3. The transaction returns the previous value of the key, bypassing the RBAC read restriction.
  4. Alternatively, create a lease and attach it to a `Put` inside a transaction, even if the user lacks lease‑attachment rights.

Protection from this CVE

  • Immediate upgrade to etcd 3.6.11, 3.5.30, or 3.4.44.
  • Restrict network access to etcd server ports (default 2379, 2380) to only trusted components.
  • Require mTLS with tightly scoped client certificate distribution to authenticate all connections.
  • Treat the affected RPCs as unauthenticated in practice until a patch is applied.

Impact

  • Unauthorised read access to any key in the data store, leading to information disclosure.
  • Unauthorised lease attachment, enabling attackers to influence lease‑based operations.
  • Complete bypass of RBAC key‑range restrictions, effectively granting full access to the entire etcd data store.
  • No impact on Kubernetes control planes, but standalone or custom etcd deployments are at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top