Path Traversal Vulnerability in Vitess Database Clustering System
CVE-2026-27969

9.3CRITICAL

Key Information:

Vendor

Vitessio

Status
Vitess
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27969?

Vitess, a database clustering system designed for the horizontal scaling of MySQL, is vulnerable due to improper handling of backup manifest files. If a user has read/write access to the backup storage location, such as an S3 bucket, they can manipulate these manifest files. This could allow them to redirect files from the manifest to any accessible location during the restore process. As a result, attackers can gain unauthorized access to the production deployment environment, potentially compromising sensitive information and executing arbitrary commands. To mitigate this issue, users are advised to upgrade to Vitess versions 23.0.3 or 22.0.4 where the vulnerability has been patched.

Affected Version(s)

vitess < 22.0.4 < 22.0.4

vitess >= 23.0.0, < 23.0.3 < 23.0.0, 23.0.3

References

https://github.com/vitessio/vitess/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/vitessio/vitess/pull/19470
x_refsource_MISC
https://github.com/vitessio/vitess/commit/c565cab615bc962...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.