DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27965: Manifest Destiny: How Vitess Backups Became a Shell-Popping Paradise

#security #cve #cybersecurity

Manifest Destiny: How Vitess Backups Became a Shell-Popping Paradise

Vulnerability ID: CVE-2026-27965
CVSS Score: 8.4
Published: 2026-02-26

In the world of horizontal scaling, Vitess is the titan that keeps the likes of Slack and YouTube running. But even titans have Achilles' heels. CVE-2026-27965 exposes a critical flaw in how Vitess handles database backups—specifically, the metadata 'manifests' stored alongside them. By modifying a simple JSON field in a backup stored on S3 or GCS, an attacker can trick the database engine into executing arbitrary commands during a restore operation. It turns the disaster recovery process into a disaster delivery mechanism.

TL;DR

A Critical Command Injection vulnerability in Vitess's backup restore process. An attacker with write access to the backup storage (S3/GCS) can modify the MANIFEST file to inject malicious shell commands via the ExternalDecompressor field. When a restore is triggered, Vitess executes these commands as the database user. Fixed in versions 22.0.4 and 23.0.3.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-27965
  • CVSS v4.0: 8.4 (High)
  • CWE: CWE-78 (OS Command Injection)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L
  • Attack Vector: Network (via Object Storage)
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • Vitess vttablet
  • Vitess vtbackup
  • Vitess vtcombo
  • Vitess: < 22.0.4 (Fixed in: 22.0.4)
  • Vitess: >= 23.0.0, < 23.0.3 (Fixed in: 23.0.3)

Code Analysis

Commit: 4c01732

Fix: make loading compressor commands from MANIFEST opt-in

func resolveExternalDecompressor(...) {
- if externalDecompressorCmd == "" && bm.ExternalDecompressor != "" {
+ if ExternalDecompressorUseManifest && manifestDecompressor != "" {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Public disclosure and reproduction steps in Vitess issue tracker

Mitigation Strategies

  • Upgrade Vitess components (vtbackup, vttablet, vtcombo) to patched versions.
  • Explicitly define decompression commands in startup configuration/flags.
  • Restrict Write access to backup storage buckets (S3/GCS) to service accounts only.

Remediation Steps:

  1. Update Vitess to version 23.0.3 or 22.0.4.
  2. Audit vttablet startup flags. Ensure --external-decompressor is set if needed.
  3. Verify that --external-decompressor-use-manifest is NOT set to true.
  4. Rotate S3/GCS credentials if you suspect bucket compromise.

References

Read the full report for CVE-2026-27965 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)