etcd
v3.6.13Kubernetes CoreJul 2, 2026
etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.
securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)
Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.
Key changes (3)
- Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
- Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
- Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check