CVE-2026-27965 – This vulnerability allows attackers with read/w... (How to Fix)

Q: What is the severity of CVE-2026-27965?

CVE-2026-27965 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows attackers with read/write access to Vitess backup storage locations to manipulate backup manifest files, leading to arbitrary code execution during backup restoration. This can grant unauthorized access to production environments where backups are restored. Affected are Vitess users with vulnerable versions who store backups in accessible locations like S3 buckets.

📋 TL;DR

This vulnerability allows attackers with read/write access to Vitess backup storage locations to manipulate backup manifest files, leading to arbitrary code execution during backup restoration. This can grant unauthorized access to production environments where backups are restored. Affected are Vitess users with vulnerable versions who store backups in accessible locations like S3 buckets.

💻 Affected Systems

Products:

Vitess

Versions: All versions prior to 23.0.3 and 22.0.4

Operating Systems: All platforms running Vitess

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires read/write access to backup storage location and use of vulnerable backup restoration process.

📦 What is this software?

Vitess by Linuxfoundation

View all CVEs affecting Vitess →

Vitess by Linuxfoundation

View all CVEs affecting Vitess →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of production deployment environment, allowing data exfiltration, privilege escalation, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to production systems and data through manipulated backup restoration processes.

🟢

If Mitigated

Limited to backup storage compromise without execution if proper access controls and workarounds are implemented.

🌐 Internet-Facing: MEDIUM - Risk exists if backup storage (e.g., S3 buckets) is internet-accessible or improperly secured.

🏢 Internal Only: HIGH - Internal attackers with backup storage access can exploit this to gain production environment access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only backup storage access and knowledge of manifest file manipulation.

Exploitation requires access to backup storage and ability to modify manifest files, but technical complexity is low once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.0.3 and 22.0.4

Vendor Advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x

Restart Required: Yes

Instructions:

1. Upgrade Vitess to version 23.0.3 or 22.0.4. 2. Restart vttablet and vtbackup services. 3. Verify version with 'vtctl --version'.

🔧 Temporary Workarounds

External decompressor override

all

Specify a safe decompressor command to override manifest values

vttablet --external-decompressor='cat'
vtbackup --external-decompressor='cat'

Specific decompressor command

all

If using external decompressor, specify exact command to prevent manifest override

vttablet --external-decompressor='/path/to/trusted/decompressor'
vtbackup --external-decompressor='/path/to/trusted/decompressor'

🧯 If You Can't Patch

Implement strict access controls on backup storage locations (S3 buckets, etc.)
Apply workarounds using --external-decompressor flag with safe commands like 'cat' or 'tee'

🔍 How to Verify

Check if Vulnerable:

Check Vitess version: if below 23.0.3 (for v23.x) or below 22.0.4 (for v22.x), system is vulnerable.

Check Version:

vtctl --version

Verify Fix Applied:

Verify version is 23.0.3+ or 22.0.4+ and check that --external-decompressor flag is properly configured if using workaround.

📡 Detection & Monitoring

Log Indicators:

Unexpected external decompressor commands in vttablet/vtbackup logs
Backup restoration failures or anomalies

Network Indicators:

Unauthorized access to backup storage locations
Unexpected network connections during backup restoration

SIEM Query:

source="vitess" AND ("external-decompressor" OR "backup restore") AND command!="cat" AND command!="tee" AND command!="expected_decompressor"

📊 Metadata

CVE ID: CVE-2026-27965

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: February 26, 2026

Last Updated: March 2, 2026

🔗 References

https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c Patch
https://github.com/vitessio/vitess/issues/19459 Issue Tracking
https://github.com/vitessio/vitess/pull/19460 Issue Tracking,Patch
https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27965, you might also want to check these: