RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: etcdClear ×

etcd

Kubernetes CoreJul 1, 2026

etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.

  • securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)

    Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.

Key changes (3)
  • Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
  • Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
  • Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check
Source

etcd

Kubernetes CoreJul 1, 2026

etcd v3.5.32 is a security release patching a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener when --listen-client-http-urls is set. It also adds a v2-deprecation bypass option and several bug fixes.

  • securityCRL enforcement bypass on gRPC listener (GHSA-3wh4-j44w-pg92)

    When --listen-client-http-urls is configured, the CRL was not enforced on the gRPC listener, allowing revoked certificates through. Upgrade to v3.5.32 if you use this flag with mTLS and a certificate revocation list.

Key changes (6)
  • Security (HIGH): CRL enforcement bypass on gRPC listener fixed when --listen-client-http-urls is configured (GHSA-3wh4-j44w-pg92)
  • New write-only-skip-check option for the --v2-deprecation flag to bypass the v2 content check
  • Server now accepts non-admin maintenance status requests
  • etcdutl check v2store now inspects both v2 snapshot and WAL records
  • Websocket authentication fixed for bearer-prefixed auth tokens
  • JWT token content no longer logged when token parsing fails
Source

etcd

Kubernetes CoreApr 1, 2026

etcd v3.5.29 is a maintenance release on the 3.5 branch with no detailed changelog published in the release notes themselves.

  • securityVerify container image source after upgrade

    If you pull etcd images in CI/CD pipelines, confirm you're pointing to gcr.io/etcd-development/etcd as the primary registry. The quay.io mirror is secondary and may lag. Pin to the exact digest rather than the floating tag to avoid supply chain risk.

  • breakingReview the official upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist even in 3.5.x patch versions. Don't skip the upgrade guide. Test in a staging environment first, especially if you're running etcd as the backing store for Kubernetes — a botched etcd upgrade can take down your entire control plane.

  • enhancementCheck CHANGELOG-3.5.md before upgrading

    The release notes here are skeletal — no specific fixes or changes are listed. Before upgrading any etcd cluster, pull up CHANGELOG-3.5.md on the etcd GitHub repo and filter for v3.5.29 entries. Patch releases on 3.5 typically carry bug fixes and CVE patches that aren't always obvious from the version bump alone.

Key changes (4)
  • Maintenance/patch release on the stable 3.5 branch
  • Full change details require consulting the CHANGELOG-3.5.md directly
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before upgrading due to potential breaking changes
Source