RATATOSKRATATOSK
Sign in

etcd

v3.6.13Kubernetes Core
Jul 2, 2026

etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.

  • securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)

    Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.

Key changes (3)

  • Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
  • Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
  • Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check