CVE-2026-44283 NONE

CVE-2026-44283: etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks

Vendor Etcd-Io

Product etcd

Weakness CWE-863 · Incorrect authorization

Published May 14, 2026

Last update May 16, 2026

View on NVD All CVEs

CVSS base score

0.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

What the vulnerability does

01Description

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Key dates

02Disclosure timeline

May 14, 2026 CVE published

May 16, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44283

Related vulnerabilities

Identifiers

CVE CVE-2026-44283

CWE CWE-863

CVSS 0.0 / NONE

Affected versions

Vendor Etcd-Io

Product etcd

Affected < 3.4.44

Vendor Etcd-Io

Product etcd

Affected >= 3.5.0, <= 3.5.29

Vendor Etcd-Io

Product etcd

Affected >= 3.6.0, <= 3.6.10

CVE-2026-44283: etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks

01Description

02Disclosure timeline

03References

04Related CVE