Platform
go
Component
vitess.io/vitess
Fixed in
22.0.5
23.0.1
0.23.3
0.22.4
CVE-2026-27969 describes a critical Arbitrary File Access vulnerability discovered in Vitess. This flaw allows attackers with backup storage access to write to arbitrary file paths during the restore process, potentially leading to complete system compromise. The vulnerability impacts versions of Vitess prior to 0.22.4, and a patch has been released to address the issue.
The impact of CVE-2026-27969 is severe. An attacker who gains access to Vitess backup storage can leverage this vulnerability to write malicious files to any location on the system during a restore operation. This could involve overwriting critical system files, injecting malicious code into applications, or gaining persistent access to the environment. The blast radius extends to any system accessible through the Vitess backup and restore process. Successful exploitation could lead to complete system takeover and data exfiltration, similar to scenarios where attackers leverage file write vulnerabilities to establish persistence.
CVE-2026-27969 was publicly disclosed on 2026-03-10. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the critical CVSS score and the potential for significant impact, although the lack of public exploits reduces the immediate risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27969 is to upgrade Vitess to version 0.22.4 or later. Prior to upgrading, assess the potential impact on your Vitess deployment and perform thorough testing in a non-production environment. If an immediate upgrade is not feasible, restrict access to Vitess backup storage to only authorized personnel and implement strict file access controls. Consider implementing a WAF or proxy to filter restore requests and prevent malicious file paths from being submitted. Regularly review and audit Vitess configuration and access logs for any suspicious activity.
Update Vitess to version 23.0.3 or later, or to version 22.0.4 or later, as appropriate. This corrects the path traversal vulnerability that allows writing to arbitrary file paths during backup restoration. No known workarounds exist.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27969 is a critical vulnerability in Vitess allowing attackers with backup storage access to write arbitrary files during restore operations, potentially leading to system compromise.
You are affected if you are running Vitess versions prior to 0.22.4 and have backup storage access available to potential attackers.
Upgrade Vitess to version 0.22.4 or later. Prior to upgrading, test thoroughly in a non-production environment.
As of now, there are no publicly known active exploitation campaigns, but the critical severity warrants vigilance.
Refer to the official Vitess security advisories on the vitess.io website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.