CVE-2026-33413 found in ETCD by open source AI agent (strix.ai), 8.8 CVSS

CVE-2026-33413 Impact, Exploitability, and Mitigation Steps | Wiz Wiz Agents & Workflows are here Wiz Pricing Get a demo Get a demo Vulnerability Database CVE-2026-33413 CVE-2026-33413 : vulnerability analysis and mitigation Impact What kind of vulnerability is it? Who is impacted? Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to: call MemberList and learn cluster topology, including member IDs and advertised endpoints call Alarm, which can be abused for operational disruption or denial of service use Lease APIs, interfering with TTL-based keys and lease ownership trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Patches Has the problem been patched? What versions should users upgrade to? These vulnerabilities are patched in the following versions: etcd 3.6.9 etcd 3.5.28 etcd 3.4.42 Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. restrict network access to etcd server ports so only trusted components can connect require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution Reporters Community efforts help keep etcd secure The etcd community thanks Isaac David, bugbunny.ai, Asim Viladi Oglu Manizada, Alex Schapiro & Ahmed Allam from Strix security, Luke Francis, and @OLU-DEVX for reporting these vulnerabilities. Dependency Between Reported Issues These issues all originate from the same underlying flaw in the gRPC API layer. They affect the same API surface and share a common root cause. In practice, the fix is implemented as a single, unified change at the API layer, which resolves all issues together. Given this, we believe these issues are best treated as a single vulnerability and should be assigned a single CVE. Source : NVD View vulnerable instances Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths. Watch 12-min demo Overview CVSS Information 8.8 Score Published March 20, 2026 Severity HIGH CNA Score N/A Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) N/A Exploitation Probability (EPSS) N/A Affected packages and libraries go.etcd.io/etcd go.etcd.io/etcd/v3 Sources NVD GitHub Advisory Database GoLang Severity HIGH Has Fix Added at: Mar 21, 2026 Get a CVE risk assessment Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed. Request assessment Free Vulnerability Assessment Benchmark your Cloud Security Posture Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses. Request assessment Additional Wiz resources Cloud Vulnerability DB A community-led vulnerabilities database Explore Cloud Threat Landscape A threat intelligence database Explore PEACH A tenant isolation framework Explore Get a personalized demo Ready to see Wiz in action? "Best User Experience I have ever seen, provides full visibility to cloud workloads." David Estlick CISO "Wiz provides a single pane of glass to see what is going on in our cloud environments." Adam Fletcher Chief Security Officer "We know that if Wiz identifies something as critical, it actually is." Greg Poniatowski Head of Threat and Vulnerability Management Get a demo