CVE-2026-27965

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27965
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27965.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27965
Aliases
Published
2026-02-26T01:49:10.071Z
Modified
2026-03-03T02:56:59.818119Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L CVSS Calculator
Summary
Vitess users with backup storage access can gain unauthorized access to production deployment environments
Details

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the --external-decompressor flag value for vttablet and vtbackup. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as cat or tee in the --external-decompressor flag value for vttablet and vtbackup to ensure that a harmless command is always used.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27965.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/vitessio/vitess

Affected ranges

Type
GIT
Repo
https://github.com/vitessio/vitess
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5b0d3ad22b7553e7a31dc1e02b8005f192cbe039
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "22.0.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/vitessio/vitess
Events
Introduced
bee41a670a0e18e7400364712263bab171ee89dc
Fixed
0466df5c81c56c9a3d6cad0d38991cf93b657fa2
Database specific 
{
    "versions": [
        {
            "introduced": "23.0.0"
        },
        {
            "fixed": "23.0.3"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.10.2
v0.22.0
v0.22.0-rc1
v0.22.0-rc2
v0.22.0-rc3
v0.22.1
v0.22.2
v0.22.3
v0.23.0
v0.23.1
v0.23.2
v0.8.0
v0.9.0
v0.9.1
v10.*
v10.0.0
v10.0.0-rc1
v10.0.0-rc1-mysql80
v10.0.1
v10.0.2
v11.*
v11.0.0-rc1
v2.*
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-alpha4
v2.0.0-alpha5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0-alpha.1
v2.2
v2.2-alpha
v2.2.0-rc.1
v22.*
v22.0.0
v22.0.0-rc1
v22.0.0-rc2
v22.0.0-rc3
v22.0.1
v22.0.2
v22.0.3
v23.*
v23.0.0
v23.0.1
v23.0.2
v3.*
v3.0
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0-rc.3
v5.*
v5.0.0
v5.0.1
v6.*
v6.0.0-rc.1
v7.*
v7.0.0-beta
v8.*
v8.0.0
v8.0.0-rc1
v8.0.0-test
v9.*
v9.0.0
v9.0.0-rc1
v9.0.1
v9.0.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27965.json"