CVE-2026-27969
published 2026-02-26CVE-2026-27969: Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.40%
32.0th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linuxfoundation | vitess | < 22.0.4 | 22.0.4 |
| linuxfoundation | vitess | >= 23.0.0 < 23.0.3 | 23.0.3 |
| msrc | azl3_vitess_19.0.4-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_vitess_19.0.4-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_vitess_17.0.7-12_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_vitess_17.0.7-14_on_cbl_mariner_2.0 | — | — |
| vitess.io | vitess | >= 0 < 0.22.4 | 0.22.4 |
| vitess.io | vitess | >= 0.23.0-rc1 < 0.23.3 | 0.23.3 |
| vitessio | vitess | < 22.0.4 | 22.0.4 |
| vitessio | vitess | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for path traversal patterns in Vitess backup manifest files — filenames or paths containing directory traversal sequences (e.g., '../') within backup manifests stored in backup storage locations (e.g., S3 buckets) may indicate manipulation. ↗
- →Alert on unexpected file writes to sensitive or arbitrary filesystem paths during Vitess backup restore operations, which may indicate exploitation of this path traversal vulnerability. ↗
- →Audit access logs on backup storage (e.g., S3 bucket) for unexpected read/write activity against Vitess backup manifest files, particularly additions or modifications of manifest entries by non-standard principals. ↗
- ·The attack requires the adversary to already have read/write access to the backup storage location (e.g., S3 bucket), making access control on backup storage a critical compensating control. ↗
- ·Successful exploitation can lead to arbitrary command execution and unauthorized information access within the production deployment environment, not just file write. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
aws-mcp has a Command Injection Remote Code Execution Vulnerability
ghsa·2026-04-11
CVE-2026-5059 [CRITICAL] CWE-78 aws-mcp has a Command Injection Remote Code Execution Vulnerability
aws-mcp has a Command Injection Remote Code Execution Vulnerability
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.
OSV
Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess
osv·2026-03-10
CVE-2026-27969 Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess
Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess
Vitess users with backup storage access can write to arbitrary file paths on restore in vitess.io/vitess
GHSA
Vitess users with backup storage access can write to arbitrary file paths on restore
ghsa·2026-02-27
CVE-2026-27969 [CRITICAL] CWE-22 Vitess users with backup storage access can write to arbitrary file paths on restore
Vitess users with backup storage access can write to arbitrary file paths on restore
### Impact
Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
v23.0.3 and v22.0.4
### Resources
https://github.com/
OSV
Vitess users with backup storage access can write to arbitrary file paths on restore
osv·2026-02-27
CVE-2026-27969 [CRITICAL] Vitess users with backup storage access can write to arbitrary file paths on restore
Vitess users with backup storage access can write to arbitrary file paths on restore
### Impact
Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
v23.0.3 and v22.0.4
### Resources
https://github.com/
Microsoft
Vitess users with backup storage access can write to arbitrary file paths on restore
vendor_msrc·2026-02-10·CVSS 9.3
CVE-2026-27969 [CRITICAL] CWE-22 Vitess users with backup storage access can write to arbitrary file paths on restore
Vitess users with backup storage access can write to arbitrary file paths on restore
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
No detection rules found.
No public exploits indexed.
2026-02-26
Published