Vitess.Io Vitess vulnerabilities

CVE-2026-27969 [CRITICAL] CWE-22 Vitess users with backup storage access can write to arbitrary file paths on restore Vitess users with backup storage access can write to arbitrary file paths on restore ### Impact Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore.

CVE-2026-27965 [HIGH] CWE-78 Vitess users with backup storage access can gain unauthorized access to production deployment environments Vitess users with backup storage access can gain unauthorized access to production deployment environments ### Impact Any user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with uninte

CVE-2024-53257 [MEDIUM] CWE-79 Vitess allows HTML injection in /debug/querylogz & /debug/env Vitess allows HTML injection in /debug/querylogz & /debug/env ### Summary The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. ### Details These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. ### Po

CVE-2024-32886 [MEDIUM] CWE-835 Vitess vulnerable to infinite memory consumption and vtgate crash Vitess vulnerable to infinite memory consumption and vtgate crash ### Summary When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will OOM. ### Details When running the following query, the `evalengine` will try evaluate it and runs forever. ``` select _utf16 0xFF ``` The source of the bug lies in the collation lo

CVE-2023-29195 [MEDIUM] CWE-20 VTAdmin users that can create shards can deny access to other functions VTAdmin users that can create shards can deny access to other functions ### Impact Users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does no

CVE-2023-29194 [MEDIUM] CWE-20 vitess allows users to create keyspaces that can deny access to already existing keyspaces vitess allows users to create keyspaces that can deny access to already existing keyspaces ### Impact Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also retur