etcd
v3.7.0Kubernetes CoreJul 8, 2026
etcd v3.7.0 is a security release: its one grounded change closes a HIGH-severity CRL enforcement bypass on the gRPC listener that occurs when --listen-client-http-urls is set (GHSA-3wh4-j44w-pg92). The upgrade guide mentions other possible breaking changes, but the provided notes give no detail on them.
securityCRL enforcement bypass on gRPC listener fixed
When --listen-client-http-urls is configured, certificate revocation lists (CRLs) were not enforced on the gRPC listener, allowing connections that should have been rejected by the CRL. Upgrade to v3.7.0 if you rely on CRL enforcement for client or peer authentication (GHSA-3wh4-j44w-pg92).
Key changes (2)
- Security: CRL enforcement bypass on the gRPC listener fixed when --listen-client-http-urls is configured, rated HIGH (GHSA-3wh4-j44w-pg92)
- Upgrade guide flags possible breaking changes for v3.7.0, but no specifics are given in the available changelog text