DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27969: Vitess Path Traversal via Backup Manifest Manipulation

#security #cve #cybersecurity

Vitess Path Traversal via Backup Manifest Manipulation

Vulnerability ID: CVE-2026-27969
CVSS Score: 9.3
Published: 2026-02-27

A critical path traversal vulnerability exists in the Vitess builtinbackupengine component, specifically within the backup restoration workflow. The flaw arises from improper validation of file paths defined in the backup MANIFEST file. An attacker with write access to the backup storage location (e.g., S3, GCS, or NFS) can craft a malicious backup manifest containing directory traversal sequences. When a Vitess vttablet attempts to restore from this compromised backup, the system processes these sequences, allowing arbitrary file writes to the underlying host filesystem. This vulnerability permits attackers to break out of the intended data directory, potentially overwriting system binaries, configuration files, or authorized keys to achieve remote code execution.

TL;DR

Improper path sanitization in the Vitess backup restore process allows attackers with backup storage access to write arbitrary files to the host OS via manipulated manifests.

Technical Details

  • CWE: CWE-22 (Path Traversal)
  • CVSS v4.0: 9.3 (Critical)
  • Attack Vector: Network (Backup Storage)
  • Exploit Maturity: None (No public PoC)
  • EPSS Score: 0.04%
  • Affected Component: builtinbackupengine

Affected Systems

  • Vitess 22.x < 22.0.4
  • Vitess 23.x < 23.0.3
  • Vitess: < 22.0.4 (Fixed in: 22.0.4)
  • Vitess: >= 23.0.0, < 23.0.3 (Fixed in: 23.0.3)

Code Analysis

Commit: c565cab

Fix path traversal in builtinbackupengine via SafePathJoin

func (fe *FileEntry) fullPath(cnf *Mycnf) (string, error) {
- return path.Join(fe.ParentPath, root, fe.Name), nil
+ return fileutil.SafePathJoin(path.Join(fe.ParentPath, root), fe.Name)
}
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Input Validation
  • Principle of Least Privilege
  • Network Segmentation
  • Integrity Monitoring

Remediation Steps:

  1. Upgrade Vitess to version 22.0.4 or higher immediately.
  2. For users on the 23.x branch, upgrade to version 23.0.3 or higher.
  3. Audit all existing backup manifests in storage for suspicious file paths containing .. sequences.
  4. Restrict write access to backup storage buckets (S3/GCS) to only the specific service accounts that require it.
  5. Ensure vttablet processes run with minimal filesystem permissions, preventing writes to system directories.

References

Read the full report for CVE-2026-27969 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)