{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27969", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-02-26T01:52:30.677Z", "dateUpdated": "2026-02-26T19:33:53.738Z"}, "containers": {"cna": {"title": "Vitess users with backup storage access can write to arbitrary file paths on restore", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw"}, {"name": "https://github.com/vitessio/vitess/pull/19470", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitessio/vitess/pull/19470"}, {"name": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a"}], "affected": [{"vendor": "vitessio", "product": "vitess", "versions": [{"version": "< 22.0.4", "status": "affected"}, {"version": ">= 23.0.0, < 23.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:52:30.677Z"}, "descriptions": [{"lang": "en", "value": "Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest \u2014 which may be files that they have also added to the manifest and backup contents \u2014\u00a0are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment \u2014 allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-r492-hjgh-c9gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:33:42.759773Z", "id": "CVE-2026-27969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:33:53.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T19:33:42.759773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:33:49.016Z"}}], "cna": {"title": "Vitess users with backup storage access can write to arbitrary file paths on restore", "source": {"advisory": "GHSA-r492-hjgh-c9gw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vitessio", "product": "vitess", "versions": [{"status": "affected", "version": "< 22.0.4"}, {"status": "affected", "version": ">= 23.0.0, < 23.0.3"}]}], "references": [{"url": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw", "name": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vitessio/vitess/pull/19470", "name": "https://github.com/vitessio/vitess/pull/19470", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a", "name": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest \u2014 which may be files that they have also added to the manifest and backup contents \u2014\u00a0are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment \u2014 allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:52:30.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27969", "state": "PUBLISHED", "dateUpdated": "2026-02-26T19:33:53.738Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T01:52:30.677Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:vitess:*:*:*:*:*:*:*:*", "matchCriteriaId": "918163A7-23FD-40D2-B3E3-7B7ED4E79E44", "versionEndExcluding": "22.0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:vitess:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB25FA07-F72B-445D-AA0C-E97D2E5E7CC8", "versionEndExcluding": "23.0.3", "versionStartIncluding": "23.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest \u2014 which may be files that they have also added to the manifest and backup contents \u2014\u00a0are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment \u2014 allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Vitess es un sistema de clustering de bases de datos para el escalado horizontal de MySQL. Antes de las versiones 23.0.3 y 22.0.4, cualquier persona con acceso de lectura/escritura a la ubicaci\u00f3n de almacenamiento de copias de seguridad (por ejemplo, un bucket de S3) puede manipular los archivos de manifiesto de copia de seguridad para que los archivos en el manifiesto \u2014 que pueden ser archivos que tambi\u00e9n hayan a\u00f1adido al manifiesto y al contenido de la copia de seguridad \u2014 se escriban en cualquier ubicaci\u00f3n accesible al restaurar. Este es un problema de seguridad com\u00fan de salto de ruta. Esto puede usarse para proporcionar a ese atacante acceso no intencionado/no autorizado al entorno de despliegue de producci\u00f3n \u2014 permiti\u00e9ndoles acceder a la informaci\u00f3n disponible en ese entorno, as\u00ed como ejecutar cualquier comando arbitrario adicional all\u00ed. Las versiones 23.0.3 y 22.0.4 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-27969", "lastModified": "2026-02-27T18:28:21.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:24.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vitessio/vitess/pull/19470"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[23.0.0,23.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vitess", "source": "cna", "vendor": "vitessio"}, "product": "vitess", "vendor": "vitessio"}], "analysis": {"en": {"generated_at": "2026-04-17T14:30:10.857178+00:00", "value": {"mitigation_remediation": ["Upgrade Vitess to version 23.0.3 or later (or 22.0.4 for the 22.x branch) to apply the manifest validation fix.", "Limit backup storage permissions to the minimum required; remove write access from untrusted users or accounts that have access to the backup bucket.", "Implement signed or encrypted backup manifests if available, and verify backup integrity to prevent tampering."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vitess, the database clustering system for MySQL, is affected in all releases before 23.0.3 and 22.0.4. The issue arises when the user has write permissions to the backup storage location, such as an S3 bucket. The vendor released a patch in version 23.0.3 for the mainline and 22.0.4 for the 22.x branch, addressing the manifest validation and file path handling. Systems using earlier versions with unrestricted backup storage access are at risk.", "description_and_impact": "The vulnerability allows an attacker who can read and write to the backup storage location to modify backup manifest files. During a restore operation, this manipulation causes the system to write files to any path accessible to the process, essentially a classic path traversal problem (CWE\u201122). The attacker can overwrite configuration files, create or replace executable scripts, or otherwise place malicious content, which can then be executed in the production environment. As a result, the vulnerability can provide the attacker with unauthorized access to sensitive data and the capability to run arbitrary commands, effectively escalating privileges and compromising system integrity.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity. The EPSS score of less than 1% suggests that exploitation probability is currently low, possibly due to the need for privileged backup storage access. The vulnerability is not listed in the CISA KEV catalog, so no active exploitation reports are known yet. Nevertheless, an attacker who can write to the backup location can inject malicious paths into the manifest which will be processed during restore, resulting in arbitrary file writes. This attack path typically requires a trusted user or compromised backup storage credentials, but once exploited it can lead to remote code execution in the database cluster environment."}}}}, "created": "2026-02-26T13:09:53.595386+00:00", "updated": "2026-04-17T14:30:20.834034+00:00", "vendors": ["vitessio", "vitessio$PRODUCT$vitess"]}