gRPC Authentication Bypass in etcd Distributed Key-Value Store by etcd.io
CVE-2026-59818

6.5MEDIUM

Key Information:

Vendor

Etcd-io

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59818?

A vulnerability in etcd, a distributed key-value store, allows clients with revoked certificates to authenticate successfully over the gRPC listener. This occurs when etcd is configured with separate HTTP and gRPC client endpoints using the --listen-client-http-urls parameter and the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener. Therefore, it creates a potential security risk where unauthorized access might be granted to sensitive data or system commands. The issue is addressed in the latest etcd versions 3.5.32 and 3.6.13.

Affected Version(s)

etcd >= 3.6.0-alpha.0, < 3.6.13 < 3.6.0-alpha.0, 3.6.13

etcd < 3.5.32 < 3.5.32

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.