How to fix CVE-2026-27965?

Within 24 hours: Audit all backup storage locations and verify access controls are properly restricted. Within 7 days: Apply vendor patches to upgrade Vitess to version 23.0.3 or 22.0.4 or later across all affected instances. Within 30 days: Conduct security review of backup storage architecture, implement encryption at rest/transit for backups, and validate patch deployment across entire environment.

Is MySQL affected by CVE-2026-27965?

CVE-2026-27965 is a critical vulnerability in Vitess database clustering that allows attackers with backup storage access to compromise database integrity and confidentiality.

CVE-2026-27965

CRITICAL

2026-02-26 [email protected]

GHSA-8g8j-r87h-p36x

9.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch Released

Mar 02, 2026 - 18:36 nvd

Patch available

CVE Published

Feb 26, 2026 - 02:16 nvd

CRITICAL 9.9

Description

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment - allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.

Analysis

Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. …

Remediation

Within 24 hours: Audit all backup storage locations and verify access controls are properly restricted. Within 7 days: Apply vendor patches to upgrade Vitess to version 23.0.3 or 22.0.4 or later across all affected instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +50

POC: 0

Vendor Status

CVE-2026-27965 vulnerability details – vuln.today

Back

CVE-2026-27965

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-27965

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code