GHSA-R492-HJGH-C9GW
Vulnerability from github – Published: 2026-02-27 16:03 – Updated: 2026-02-27 16:03
VLAI?
Summary
Vitess users with backup storage access can write to arbitrary file paths on restore
Details
Impact
Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common Path Traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
Patches
v23.0.3 and v22.0.4
Resources
https://github.com/vitessio/vitess/pull/19470
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "vitess.io/vitess"
},
"ranges": [
{
"events": [
{
"introduced": "0.23.0-rc1"
},
{
"fixed": "0.23.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "vitess.io/vitess"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.22.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27969"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T16:03:54Z",
"nvd_published_at": "2026-02-26T02:16:24Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAnyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest \u2014 which may be files that they have also added to the manifest and backup contents \u2014\u00a0are written to any accessible location on restore. This is a common [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment \u2014 allowing them to access information available in that environment as well as run any additional arbitrary commands there.\n\n### Patches\n\nv23.0.3 and v22.0.4\n\n### Resources\n\nhttps://github.com/vitessio/vitess/pull/19470",
"id": "GHSA-r492-hjgh-c9gw",
"modified": "2026-02-27T16:03:54Z",
"published": "2026-02-27T16:03:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27969"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/pull/19470"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitessio/vitess"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Path_Traversal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Vitess users with backup storage access can write to arbitrary file paths on restore"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…