Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Vitess users with backup access can write files to any location on restore
CVE-2026-27969
GHSA-r492-hjgh-c9gw
Summary
Vitess users with access to backup storage can potentially access sensitive information and execute unauthorized commands in the production environment. To fix this, update to Vitess version 23.0.3 or 22.0.4. If you can't update, limit access to backup storage locations to only authorized personnel.
What to do
- Update vitess.io vitess to version 0.23.3.
- Update vitess.io vitess to version 0.22.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| vitess.io | vitess | > 0.23.0-rc1 , <= 0.23.3 | 0.23.3 |
| vitess.io | vitess | <= 0.22.4 | 0.22.4 |
| linuxfoundation | vitess | <= 22.0.4 | – |
| linuxfoundation | vitess | > 23.0.0 , <= 23.0.3 | – |
Original title
Vitess users with backup storage access can write to arbitrary file paths on restore
Original description
### Impact
Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
v23.0.3 and v22.0.4
### Resources
https://github.com/vitessio/vitess/pull/19470
Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
### Patches
v23.0.3 and v22.0.4
### Resources
https://github.com/vitessio/vitess/pull/19470
nvd CVSS3.1
8.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-27969
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/advisories/GHSA-r492-hjgh-c9gw
- https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca... Patch
- https://github.com/vitessio/vitess/pull/19470 Issue Tracking Patch
- https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw Patch Vendor Advisory
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026