CVE-2026-27969
Received Received - Intake
Path Traversal in Vitess Backup Restore Enables Remote Code Execution

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest β€” which may be files that they have also added to the manifest and backup contents β€”Β are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment β€” allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27969
EUVD
EUVD-2026-8821
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation vitess to 22.0.4 (exc)
linuxfoundation vitess From 23.0.0 (inc) to 23.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27969 is a critical path traversal vulnerability in the Vitess database clustering system\'s backup engine. It occurs during the restore process when the backup manifest files, which list files to be restored, are manipulated by an attacker who has read/write access to the backup storage location (such as an S3 bucket). The attacker can craft manifest entries with file paths containing directory traversal sequences (e.g., "../") that cause files to be restored outside the intended backup directories.'}, {'type': 'paragraph', 'content': 'This flaw allows the attacker to write files to arbitrary locations on the system during restore, potentially overwriting or injecting files in unintended places. As a result, the attacker can gain unauthorized access to the production deployment environment, read sensitive information, and execute arbitrary commands.'}, {'type': 'paragraph', 'content': 'The vulnerability affects Vitess versions prior to 22.0.4 and 23.0.3, with patches available in these versions. No workarounds are known.'}] [1, 2, 3]

Impact Analysis

If exploited, this vulnerability can lead to unauthorized access to the production deployment environment where Vitess is running. An attacker with access to the backup storage can manipulate backup manifests to restore files to arbitrary locations, potentially overwriting critical files or injecting malicious files.

This can result in exposure of sensitive information and allow the attacker to execute arbitrary commands within the production environment, compromising confidentiality and integrity of the system.

The vulnerability has a high impact on confidentiality and integrity, and can also affect availability of subsequent systems. Exploitation requires high privileges (access to backup storage) but no user interaction and has low attack complexity.

To mitigate this risk, it is essential to apply the patches provided in Vitess versions 22.0.4 and 23.0.3.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network/system scanning methods provided in the available information for CVE-2026-27969.

Detection would likely involve verifying if the Vitess version in use is vulnerable (versions prior to 22.0.4 and 23.0.3) and checking for unauthorized modifications to backup manifest files in the backup storage location (e.g., S3 buckets) that could indicate manipulation attempts.

Since the vulnerability involves path traversal via backup manifest files, monitoring for unusual file paths or unexpected files being restored outside designated directories could be a sign of exploitation.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Vitess to a patched version: either version 22.0.4 or 23.0.3 or later.

No known workarounds are available, so applying the official patches is essential to prevent exploitation.

Additionally, restrict and monitor access to the backup storage location (such as S3 buckets) to ensure only trusted users have read/write permissions, minimizing the risk of malicious manifest file manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart