CVE-2026-27965

HIGH EPSS 33.4%
Published Feb 26, 20264mo ago · Modified Jun 17, 20262w ago
8.4 CVSS 4.0
High
Find Similar
Published Feb 26, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.

CVSS Details

Base Score
8.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
33.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 2

VendorProductVersionRange
linuxfoundationvitess* <22.0.4
linuxfoundationvitess*≥23.0.0  –  <23.0.3

References 4

  • github.com https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c
    Patch
  • github.com https://github.com/vitessio/vitess/issues/19459
    Issue Tracking
  • github.com https://github.com/vitessio/vitess/pull/19460
    Issue TrackingPatch
  • github.com https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c
    Patch
  • github.com https://github.com/vitessio/vitess/pull/19460
    Issue TrackingPatch
  • github.com https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x
    MitigationPatchVendor Advisory