CVE-2026-27965OS Command Injection in Vitess

CWE-78OS Command Injection6 documents5 sources
Severity
8.4HIGHNVD
EPSS
0.1%
top 79.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Vitessio VitessVitess.io VitessLinuxfoundation Vitess+3 more
Timeline
PublishedFeb 26
Latest updateMar 10

Description

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

Affected Packages6 packages

CVEListV5vitessio/vitess< 22.0.4+1
Govitess.io/vitess0.23.00.23.3+2
NVDlinuxfoundation/vitess23.0.023.0.3+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Vitess users can gain unauthorized access to production deployment environments in vitess.io/vitess2026-03-10
GHSA
Vitess users with backup storage access can gain unauthorized access to production deployment environments2026-02-26
OSV
Vitess users with backup storage access can gain unauthorized access to production deployment environments2026-02-26

📋Vendor Advisories

1
Microsoft
Vitess users with backup storage access can gain unauthorized access to production deployment environments2026-02-10

🕵️Threat Intelligence

1
Wiz
CVE-2026-27965 Impact, Exploitability, and Mitigation Steps | Wiz