cbcvebase.
CVE-2026-27969
published 2026-02-26

CVE-2026-27969: Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.40%
32.0th percentile
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.

Affected

10 ranges
VendorProductVersion rangeFixed in
linuxfoundationvitess< 22.0.422.0.4
linuxfoundationvitess>= 23.0.0 < 23.0.323.0.3
msrcazl3_vitess_19.0.4-7_on_azure_linux_3.0
msrcazl3_vitess_19.0.4-9_on_azure_linux_3.0
msrccbl2_vitess_17.0.7-12_on_cbl_mariner_2.0
msrccbl2_vitess_17.0.7-14_on_cbl_mariner_2.0
vitess.iovitess>= 0 < 0.22.40.22.4
vitess.iovitess>= 0.23.0-rc1 < 0.23.30.23.3
vitessiovitess< 22.0.422.0.4
vitessiovitess

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for path traversal patterns in Vitess backup manifest files — filenames or paths containing directory traversal sequences (e.g., '../') within backup manifests stored in backup storage locations (e.g., S3 buckets) may indicate manipulation.
  • Alert on unexpected file writes to sensitive or arbitrary filesystem paths during Vitess backup restore operations, which may indicate exploitation of this path traversal vulnerability.
  • Audit access logs on backup storage (e.g., S3 bucket) for unexpected read/write activity against Vitess backup manifest files, particularly additions or modifications of manifest entries by non-standard principals.
  • ·The attack requires the adversary to already have read/write access to the backup storage location (e.g., S3 bucket), making access control on backup storage a critical compensating control.
  • ·Successful exploitation can lead to arbitrary command execution and unauthorized information access within the production deployment environment, not just file write.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.