cbcvebase.
CVE-2026-27965
published 2026-02-26

CVE-2026-27965: Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup…

PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.42%
33.4th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.

Affected

10 ranges
VendorProductVersion rangeFixed in
linuxfoundationvitess< 22.0.422.0.4
linuxfoundationvitess>= 23.0.0 < 23.0.323.0.3
msrcazl3_vitess_19.0.4-7_on_azure_linux_3.0
msrcazl3_vitess_19.0.4-9_on_azure_linux_3.0
msrccbl2_vitess_17.0.7-14_on_cbl_mariner_2.0
vitess.iovitess>= 0 < 0.22.40.22.4
vitess.iovitess0 – 0.23.2
vitess.iovitess>= 0.23.0 < 0.23.30.23.3
vitessiovitess< 22.0.422.0.4
vitessiovitess

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unexpected or modified backup manifest files in backup storage locations (e.g. S3 buckets) used by Vitess, as attackers with read/write access can manipulate these files to inject arbitrary commands executed at restore time.
  • Alert on unexpected or attacker-controlled values in the external decompressor field of Vitess backup manifest files, as this field can be weaponized to execute arbitrary commands during backup restoration.
  • Audit `vttablet` and `vtbackup` process invocations for unexpected `--external-decompressor` flag values or child processes spawned during backup restore operations, which may indicate exploitation of a tampered manifest.
  • ·Versions prior to 23.0.3 and 22.0.4 are vulnerable; patched versions override the manifest-specified decompressor with the operator-supplied `--external-decompressor` flag, preventing arbitrary command injection.
  • ·If no external decompressor is intended, operators should explicitly set `--external-decompressor` to a safe no-op command (e.g. `cat` or `tee`) on both `vttablet` and `vtbackup` to neutralize any malicious value embedded in a backup manifest.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.