CVE-2026-27969
Path Traversal in Vitess Backup Restore Enables Remote Code Execution
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | vitess | to 22.0.4 (exc) |
| linuxfoundation | vitess | From 23.0.0 (inc) to 23.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27969 is a critical path traversal vulnerability in the Vitess database clustering system\'s backup engine. It occurs during the restore process when the backup manifest files, which list files to be restored, are manipulated by an attacker who has read/write access to the backup storage location (such as an S3 bucket). The attacker can craft manifest entries with file paths containing directory traversal sequences (e.g., "../") that cause files to be restored outside the intended backup directories.'}, {'type': 'paragraph', 'content': 'This flaw allows the attacker to write files to arbitrary locations on the system during restore, potentially overwriting or injecting files in unintended places. As a result, the attacker can gain unauthorized access to the production deployment environment, read sensitive information, and execute arbitrary commands.'}, {'type': 'paragraph', 'content': 'The vulnerability affects Vitess versions prior to 22.0.4 and 23.0.3, with patches available in these versions. No workarounds are known.'}] [1, 2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to unauthorized access to the production deployment environment where Vitess is running. An attacker with access to the backup storage can manipulate backup manifests to restore files to arbitrary locations, potentially overwriting critical files or injecting malicious files.
This can result in exposure of sensitive information and allow the attacker to execute arbitrary commands within the production environment, compromising confidentiality and integrity of the system.
The vulnerability has a high impact on confidentiality and integrity, and can also affect availability of subsequent systems. Exploitation requires high privileges (access to backup storage) but no user interaction and has low attack complexity.
To mitigate this risk, it is essential to apply the patches provided in Vitess versions 22.0.4 and 23.0.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system scanning methods provided in the available information for CVE-2026-27969.
Detection would likely involve verifying if the Vitess version in use is vulnerable (versions prior to 22.0.4 and 23.0.3) and checking for unauthorized modifications to backup manifest files in the backup storage location (e.g., S3 buckets) that could indicate manipulation attempts.
Since the vulnerability involves path traversal via backup manifest files, monitoring for unusual file paths or unexpected files being restored outside designated directories could be a sign of exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Vitess to a patched version: either version 22.0.4 or 23.0.3 or later.
No known workarounds are available, so applying the official patches is essential to prevent exploitation.
Additionally, restrict and monitor access to the backup storage location (such as S3 buckets) to ensure only trusted users have read/write permissions, minimizing the risk of malicious manifest file manipulation.