CVE-2026-59818

Summary

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with –listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the –client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.

Affected Software

VendorProductVersion RangeStatus
etcd-ioetcd>= 3.6.0-alpha.0, < 3.6.13affected
etcd-ioetcd< 3.5.32affected

Weaknesses

  • CWE-295: CWE-295: Improper Certificate Validation

References