etcd
v3.5.32Kubernetes CoreJul 2, 2026
etcd v3.5.32 is a security release patching a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener when --listen-client-http-urls is set. It also adds a v2-deprecation bypass option and several bug fixes.
securityCRL enforcement bypass on gRPC listener (GHSA-3wh4-j44w-pg92)
When --listen-client-http-urls is configured, the CRL was not enforced on the gRPC listener, allowing revoked certificates through. Upgrade to v3.5.32 if you use this flag with mTLS and a certificate revocation list.
Key changes (6)
- Security (HIGH): CRL enforcement bypass on gRPC listener fixed when --listen-client-http-urls is configured (GHSA-3wh4-j44w-pg92)
- New write-only-skip-check option for the --v2-deprecation flag to bypass the v2 content check
- Server now accepts non-admin maintenance status requests
- etcdutl check v2store now inspects both v2 snapshot and WAL records
- Websocket authentication fixed for bearer-prefixed auth tokens
- JWT token content no longer logged when token parsing fails