Home / Vulnerability Intelligence / CVE-2026-27969

CVE-2026-27969 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

Vitess - Path Traversal

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

Vitess < 23.0.3 and < 22.0.4 contains a path traversal caused by manipulation of backup manifest files in backup storage, letting attackers with read/write access to backup storage write files to arbitrary locations on restore, exploit requires read/write access to backup storage.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.0%(Probability of exploitation in next 30 days)

Impact

Attackers can write files to arbitrary locations and execute arbitrary commands, leading to unauthorized access and control over the production environment.

Mitigation

Update to versions 23.0.3 or 22.0.4 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Feb 26, 2026

🔥 CRITICAL: CVE-2026-27969 in Vitess (<22.0.4, 23.0.0 – 23.0.3) allows path traversal via backup restore. Attackers w/ backup storage access can write files anywhere Vitess can reach. Patch ASAP & secure storage! https://radar.offseq.com/threat/cve-2026-27969-cwe-22-improper-limitation-of-a-pat-4b60f36b #OffSeq #Vitess #CVE202627969

View original post

Related Resources

Details

CVE ID: CVE-2026-27969
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: confirmed
EPSS: 4.0%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.0%Probability of exploitation in the next 30 days