CVE-2026-27965

Name of the Vulnerable Software and Affected Versions Vitess versions prior to 23.0.3 Vitess versions prior to 22.0.4

Description Vitess is a database clustering system for horizontal scaling of MySQL. A flaw exists where someone with read/write access to the backup storage location can manipulate backup manifest files, leading to arbitrary code execution when the backup is restored. This could grant an attacker unintended access to the production deployment environment, allowing them to access information and execute arbitrary commands.

Recommendations Update to Vitess version 23.0.3 or later. Update to Vitess version 22.0.4 or later. If using an external decompressor, specify the decompressor command using the --external-decompressor flag for vttablet and vtbackup. If not using an external or internal decompressor, specify a harmless command such as cat or tee in the --external-decompressor flag value for vttablet and vtbackup.