🟠 High | Source: Microsoft Security Response Center
A vulnerability in etcd’s gRPC client listener means that certificate revocation lists (CRLs) specified via the --client-crl-file flag are not enforced, allowing clients with revoked certificates to continue authenticating successfully. This undermines a key control used to invalidate compromised or expired credentials in etcd clusters, which are commonly used as the backing store for Kubernetes control planes. In Azure environments where etcd is a component of managed or self-managed Kubernetes clusters, this could allow an attacker holding a revoked certificate to maintain unauthorised access.
Security Architect’s Take: Review any etcd deployments — particularly those underpinning AKS or self-managed Kubernetes on Azure — and assess whether CRL-based revocation is relied upon as a control boundary. As an interim mitigation, consider rotating affected certificates and enforcing access controls at the network layer until a patched version of etcd is available and deployed.
Original advisory: CVE-2026-59818 etcd: gRPC client listener does not enforce --client-crl-file certificate revocation