Skip to main content

MySQL CVE-2026-27969

HIGH
Path Traversal (CWE-22)
2026-02-26 security-advisories@github.com GHSA-r492-hjgh-c9gw
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 27, 2026 - 18:28 nvd
Patch available
CVE Published
Feb 26, 2026 - 02:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest - which may be files that they have also added to the manifest and backup contents - are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment - allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.

AnalysisAI

Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write arbitrary files to any location during restore operations, potentially achieving remote code execution on production MySQL deployments. An attacker can manipulate backup manifests to extract files outside intended directories, gaining unauthorized access to sensitive data and the ability to execute arbitrary commands in the production environment. Patches are available for versions 23.0.3 and 22.0.4.

Technical ContextAI

Classified as CWE-22 (Path Traversal). Affects Vitess. Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/u

RemediationAI

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

More in MySQL

View all
CVE-2016-6662 CRITICAL POC
9.8 Sep 20

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2

CVE-2012-5613 MEDIUM POC
6.0 Dec 03

MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the

CVE-2017-3599 HIGH POC
7.5 Apr 24

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Rated high severity

CVE-2012-2122 MEDIUM POC
5.1 Jun 26

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x befor

CVE-2012-5612 MEDIUM POC
6.5 Dec 03

Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions through 5.5.28, and MariaDB 5.5.28a and possibly ot

CVE-2012-5611 MEDIUM POC
6.5 Dec 03

Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53

CVE-2016-6664 HIGH POC
7.0 Dec 13

mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server befo

CVE-2015-3152 MEDIUM POC
5.9 May 16

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the

CVE-2026-24479 CRITICAL POC
9.8 Jan 27

HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.

CVE-2016-2105 HIGH
7.5 May 05

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2

CVE-2016-0705 CRITICAL
9.8 Mar 03

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-27969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy