Executive Summary

CVE-2026-27965 is a security vulnerability in Vitess, a database clustering system for MySQL. The issue arises from how Vitess handles decompressor commands stored in backup manifest files during backup restoration. If an attacker has read/write access to the backup storage location (such as an S3 bucket), they can modify the manifest file to inject arbitrary decompressor commands.

When the backup is restored, these malicious commands are executed on the Vitess tablet server as the Vitess user, leading to arbitrary code execution. This can allow the attacker to gain unauthorized access to the production environment and run additional commands.

The vulnerability existed because Vitess would trust and load decompressor commands from the manifest file by default during restore operations. Starting with Vitess version 24, this behavior is disabled by default and must be explicitly enabled with a flag, which is strongly discouraged due to security risks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if exploited. An attacker with write access to the backup storage can manipulate the backup manifest to execute arbitrary code during backup restoration.

This arbitrary code execution can lead to unauthorized access to the production deployment environment where Vitess is running. The attacker can access sensitive information available in that environment and run any additional commands, potentially compromising the entire system.

Because the attack requires access to the backup storage, the risk is limited to environments where such access is possible. However, the impact on confidentiality, integrity, and availability of the system is high if exploited.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your Vitess deployment is using vulnerable versions (prior to 23.0.3 and 22.0.4) and whether the backup restore process is configured to trust decompressor commands from the backup manifest file.

Specifically, you should verify if the Vitess components (such as vttablet or vtbackup) are running with the flag `--external-decompressor-use-manifest` enabled, which allows decompressor commands from the manifest to be executed. This flag is disabled by default in patched versions.

Additionally, inspect the backup storage location (e.g., S3 bucket) for unauthorized modifications to the backup `MANIFEST` files, which could indicate tampering.

Suggested commands to help detect potential exploitation or configuration issues include:

• Check Vitess version: `vttablet --version` or `vtbackup --version`
• Check running processes for the presence of the `--external-decompressor-use-manifest` flag: `ps aux | grep vttablet` or `ps aux | grep vtbackup`
• Inspect backup manifest files for suspicious decompressor commands: `cat <backup-location>/MANIFEST` and look for unexpected or shell commands.
• Audit backup storage permissions to ensure only authorized users have read/write access.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Vitess to patched versions 23.0.3 or 22.0.4 or later, which contain fixes for this vulnerability.

If upgrading is not immediately possible, apply the following workarounds:

• Specify an explicit external decompressor command using the `--external-decompressor` flag for `vttablet` and `vtbackup`. This overrides any decompressor command specified in the backup manifest file.
• If no decompressor is intended, set the `--external-decompressor` flag to a harmless command such as `cat` or `tee` to ensure safe operation.

Avoid enabling the `--external-decompressor-use-manifest` flag, as it re-enables the vulnerable behavior and is strongly discouraged.

Additionally, restrict read/write access to the backup storage location to trusted users only to prevent unauthorized modification of backup manifests.

Useful 0 Not Useful 0