{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T13:44:00.633","vulnerabilities":[{"cve":{"id":"CVE-2026-27965","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T02:16:23.647","lastModified":"2026-03-02T18:36:24.300","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used."},{"lang":"es","value":"Vitess es un sistema de clústeres de bases de datos para el escalado horizontal de MySQL. Antes de las versiones 23.0.3 y 22.0.4, cualquier persona con acceso de lectura/escritura a la ubicación de almacenamiento de copias de seguridad (por ejemplo, un bucket S3) podía manipular los archivos de manifiesto de las copias de seguridad para que posteriormente se ejecutara código arbitrario al restaurar dichas copias. Esto se puede utilizar para proporcionar al atacante un acceso no deseado/no autorizado al entorno de implementación de producción, lo que le permite acceder a la información disponible en ese entorno, así como ejecutar cualquier comando arbitrario adicional en él. Las versiones 23.0.3 y 22.0.4 contienen un parche. Hay algunas soluciones alternativas disponibles. Aquellos que tengan intención de utilizar un descompresor externo pueden especificar siempre ese comando de descompresión en el valor del indicador '--external-decompressor' para 'vttablet' y 'vtbackup'. Esto anula cualquier valor especificado en el archivo de manifiesto. Aquellos que no tengan intención de utilizar un descompresor externo ni uno interno pueden especificar un valor como «cat» o «tee» en el valor del indicador '--external-decompressor' para 'vttablet' y 'vtbackup'a fin de garantizar que siempre se utilice un comando inofensivo."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:vitess:*:*:*:*:*:*:*:*","versionEndExcluding":"22.0.4","matchCriteriaId":"918163A7-23FD-40D2-B3E3-7B7ED4E79E44"},{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:vitess:*:*:*:*:*:*:*:*","versionStartIncluding":"23.0.0","versionEndExcluding":"23.0.3","matchCriteriaId":"AB25FA07-F72B-445D-AA0C-E97D2E5E7CC8"}]}]}],"references":[{"url":"https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/vitessio/vitess/issues/19459","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/vitessio/vitess/pull/19460","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x","source":"security-advisories@github.com","tags":["Mitigation","Patch","Vendor Advisory"]}]}}]}