CVE-2026-27969
Published: 26 February 2026
Summary
CVE-2026-27969 is a high-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Vitess. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of file paths in backup manifests during restore to directly prevent path traversal exploitation.
SI-2 mandates timely flaw remediation by applying Vitess patches that fix the path traversal vulnerability in the backup restore process.
AC-6 enforces least privilege to restrict read/write access to backup storage locations like S3 buckets, blocking attackers from manipulating manifests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in backup restore enables remote exploitation of Vitess (T1190) and direct placement of attacker-controlled files into the target environment (T1105), leading to RCE and unauthorized access.
NVD Description
Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the…
more
manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.
Deeper analysisAI
CVE-2026-27969 is a path traversal vulnerability (CWE-22) in Vitess, a database clustering system for horizontal scaling of MySQL. It affects Vitess versions prior to 23.0.3 and 22.0.4, where attackers can manipulate backup manifest files in the backup storage location, such as an S3 bucket. By altering the manifest to include attacker-controlled files and paths, the vulnerability allows these files to be written to arbitrary accessible locations during the restore process. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with read/write access to the backup storage can exploit this by modifying manifest files and injecting malicious content into the backup. Upon restoration by a legitimate Vitess user, the manipulated files are placed in unintended locations within the production deployment environment. This grants the attacker unauthorized access to that environment, enabling them to retrieve sensitive information and execute arbitrary commands.
Vitess versions 23.0.3 and 22.0.4 include patches addressing the vulnerability, as detailed in the commit at https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a, the pull request at https://github.com/vitessio/vitess/pull/19470, and the security advisory at https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw. No known workarounds are available.
Details
- CWE(s)