gRPC Authentication Bypass in etcd Distributed Key-Value Store by etcd.io
CVE-2026-59818
6.5MEDIUM
What is CVE-2026-59818?
A vulnerability in etcd, a distributed key-value store, allows clients with revoked certificates to authenticate successfully over the gRPC listener. This occurs when etcd is configured with separate HTTP and gRPC client endpoints using the --listen-client-http-urls parameter and the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener. Therefore, it creates a potential security risk where unauthorized access might be granted to sensitive data or system commands. The issue is addressed in the latest etcd versions 3.5.32 and 3.6.13.
Affected Version(s)
etcd >= 3.6.0-alpha.0, < 3.6.13 < 3.6.0-alpha.0, 3.6.13
etcd < 3.5.32 < 3.5.32
