Arbitrary Code Execution Vulnerability in Vitess Database Clustering System
CVE-2026-27965

8.4HIGH

Key Information:

Vendor

Vitessio

Status
Vitess
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27965?

A vulnerability exists in Vitess, a database clustering system for MySQL, where users with read/write access to backup storage can alter backup manifest files. This manipulation could allow an attacker to execute arbitrary code upon restoring the backup, potentially granting unauthorized access to the production environment. Victims may suffer data exposure and execution of unintended commands. Users are advised to upgrade to versions 23.0.3 or 22.0.4, where the issue has been patched, and can consider workarounds by specifying safe commands for external decompression.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vitess < 22.0.4 < 22.0.4

vitess >= 23.0.0, < 23.0.3 < 23.0.0, 23.0.3

References

https://github.com/vitessio/vitess/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/vitessio/vitess/issues/19459
x_refsource_MISC
https://github.com/vitessio/vitess/pull/19460
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.