etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests — CVE-2026-44283
GHSA · GitHub · CVE-2026-44283
ID
CVE-2026-44283
CVE-2026-44283
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
low
low
Summary
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled.…
Product
go: go.etcd.io/etcd/v3 | go: go.etcd.io/etcd
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.