Etcd gRPC Auth Bypass: CRL Not Enforced up to v3.6.13 or <3.5.32
CVE-2026-59818 Published on July 8, 2026
etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.
Vulnerability Analysis
CVE-2026-59818 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Affected Versions
etcd-io etcd:- Version >= 3.6.0-alpha.0, < 3.6.13 is affected.
- Version < 3.5.32 is affected.