RCE and arbitrary file write in Vitess vtbackup via untrusted MANIFEST fields
Two critical vulnerabilities have been identified in Vitess related to the backup MANIFEST file. The vulnerabilities allow for remote code execution and arbitrary file writes due to untrusted fields being processed during restore. Users are advised to upgrade to patched versions to mitigate these risks.
- ▪CVE-2026-27965 allows remote code execution via the ExternalDecompressor field in the backup MANIFEST.
- ▪CVE-2026-27969 enables path traversal attacks through the FileEntries[].Name field.
- ▪Affected versions include v22.0.3 and older, as well as v23.0.0-v23.0.2, with patches available in v22.0.4 and v23.0.3.
Opening excerpt (first ~120 words) tap to expand
18-05-2026 RCE and arbitrary file write in Vitess vtbackup via untrusted MANIFEST fields TLDR: Two CVEs in Vitess. Both come from the backup MANIFEST file being trusted at restore time. CVE-2026-27965 (GHSA-8g8j-r87h-p36x) CVSS 8.4, CWE-78. The ExternalDecompressor field is run through /bin/sh -c. RCE as the vitess user. CVE-2026-27969 (GHSA-r492-hjgh-c9gw) CVSS 9.3, CWE-22. FileEntries[].Name path traversal. Write to any path the vitess user can write. Affected: v22.0.3 and older, v23.0.0-v23.0.2. Patched: v22.0.4, v23.0.3. Quick workaround for the RCE only: set --external-decompressor=cat or any other harmless command on vttablet/vtbackup. The flag overrides the manifest. No equivalent for the path traversal, upgrade.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Alex Manson.
Discussion
0 commentsMore from Alex Manson
