{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/etcd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-59818"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["etcd"],"_cs_severities":["high"],"_cs_tags":["vulnerability","etcd","grpc","authentication-bypass","certificate-revocation"],"_cs_type":"advisory","_cs_vendors":["etcd"],"content_html":"\u003cp\u003eCVE-2026-59818 affects etcd, specifically its gRPC client listener component. This critical vulnerability stems from an improper enforcement of Certificate Revocation Lists (CRLs) when the \u003ccode\u003e--client-crl-file\u003c/code\u003e flag is enabled. Discovered and published by Microsoft Security Response Center (MSRC) on 2026-07-10, the flaw allows clients whose TLS certificates have been revoked to bypass the intended authentication mechanisms and gain unauthorized access to etcd instances. This bypass compromises the security posture of etcd clusters relying on client certificate authentication for access control. For organizations utilizing etcd, particularly in container orchestration environments like Kubernetes, successful exploitation could lead to malicious modification or exfiltration of sensitive configuration data, impacting the integrity and availability of critical services. Defenders should prioritize patching and configuration review to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker acquires a legitimate client certificate previously issued for an etcd cluster, which has subsequently been revoked.\u003c/li\u003e\n\u003cli\u003eThe target etcd server is configured to use TLS client authentication and references a Certificate Revocation List (CRL) via the \u003ccode\u003e--client-crl-file\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish a gRPC connection to the vulnerable etcd server, presenting the revoked client certificate.\u003c/li\u003e\n\u003cli\u003eDue to the flaw identified as CVE-2026-59818, the etcd gRPC client listener fails to properly process or apply the revocation check from the specified CRL.\u003c/li\u003e\n\u003cli\u003eThe etcd server erroneously validates and authenticates the client connection, bypassing the intended security control.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the etcd key-value store, enabling them to read, modify, or delete sensitive data and configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability, CVE-2026-59818, could lead to significant security breaches in environments utilizing etcd for critical infrastructure. Successful exploitation allows unauthorized access to the etcd key-value store, which often holds sensitive configuration data for container orchestration platforms like Kubernetes. Attackers could manipulate this data, leading to service disruption, privilege escalation within the cluster, or exfiltration of confidential information. The integrity and availability of services relying on the compromised etcd instance would be severely impacted. The specific number of affected organizations or sectors is not disclosed, but any organization deploying etcd with client certificate authentication and CRLs is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update addressing CVE-2026-59818 for etcd immediately upon release to prevent authentication bypass.\u003c/li\u003e\n\u003cli\u003eReview all etcd server configurations to ensure CRL enforcement mechanisms are correctly implemented and functioning as expected, especially in light of CVE-2026-59818.\u003c/li\u003e\n\u003cli\u003eImplement robust logging for etcd access and administrative actions, and actively monitor these logs for anomalous client connections, particularly those from certificates that should be revoked, to detect potential exploitation of CVE-2026-59818.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T07:36:19Z","date_published":"2026-07-10T07:36:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-etcd-cve-2026-59818/","summary":"The etcd gRPC client listener is affected by CVE-2026-59818, a vulnerability where it fails to properly enforce Certificate Revocation Lists (CRLs) when the `--client-crl-file` flag is used, potentially allowing clients with revoked certificates to bypass authentication and gain unauthorized access to etcd instances.","title":"CVE-2026-59818 etcd: gRPC client listener does not enforce certificate revocation","url":"https://feed.craftedsignal.io/briefs/2026-07-etcd-cve-2026-59818/"}],"language":"en","title":"CraftedSignal Threat Feed - Etcd","version":"https://jsonfeed.org/version/1.1"}