Cyber Posture

CVE-2026-27965

CriticalRCE

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 23.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27965 is a critical-severity OS Command Injection (CWE-78) vulnerability in Linuxfoundation Vitess. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely application of Vitess patches 23.0.3 or 22.0.4 that prevent execution of arbitrary commands from tampered backup manifest files.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to restrict read/write access to backup storage locations like S3 buckets, preventing attackers from manipulating manifest files.

SI-7 Software, Firmware, and Information Integrity partial match
preventdetect

Implements integrity verification mechanisms to detect tampering of backup manifest files and prevent execution of injected commands during restoration.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection in backup manifest handling enables remote code execution on Vitess nodes via network-accessible storage tampering (T1190) and direct Unix shell command execution during restore (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is…

more

later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.

Deeper analysisAI

CVE-2026-27965 is a high-severity vulnerability (CVSS 9.9) in Vitess, a database clustering system for horizontal scaling of MySQL. In versions prior to 23.0.3 and 22.0.4, the issue stems from improper handling of backup manifest files stored in external locations such as S3 buckets. Attackers with read/write access to these backup storage locations can modify the manifest files to inject arbitrary commands, which are then executed during the backup restoration process. This flaw is classified under CWE-78 (OS Command Injection).

An attacker requires only low privileges with read/write access to the backup storage, enabling exploitation over the network with low complexity and no user interaction. Upon restoration of the tampered backup, the injected code executes with the privileges of the Vitess processes (vttablet or vtbackup), granting unauthorized access to the production deployment environment. This allows the attacker to access sensitive information available in that environment and execute additional arbitrary commands, potentially leading to full compromise.

Vitess versions 23.0.3 and 22.0.4 include patches addressing the vulnerability, as detailed in the project's security advisory (GHSA-8g8j-r87h-p36x) and related GitHub commits and pull requests. Workarounds involve explicitly setting the `--external-decompressor` flag for vttablet and vtbackup to override any decompressor command in the manifest file; users intending to use an external decompressor should specify it directly, while others can use a harmless command like `cat` or `tee`.

Details

CWE(s)
CWE-78

Affected Products

linuxfoundation
vitess
≤ 22.0.4 · 23.0.0 — 23.0.3

CVEs Like This One

CVE-2026-27969Same product: Linuxfoundation Vitess
CVE-2026-24905Same vendor: Linuxfoundation
CVE-2026-32604Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-25070Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2025-27392Shared CWE-78
CVE-2025-64127Shared CWE-78
CVE-2026-3037Shared CWE-78
CVE-2025-56114Shared CWE-78

References