x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-8g8j-r87h-p36x #4567
Description
Advisory GHSA-8g8j-r87h-p36x references a vulnerability in the following Go modules:
| Module |
|---|
| vitess.io/vitess |
Description:
Impact
Any user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.
Patches
Fixes are expected to be released with versions v23.0.3 and v22.0.4
See fix commit at vitessio/vitess@4c017329390...
References:
- ADVISORY: GHSA-8g8j-r87h-p36x
- ADVISORY: GHSA-8g8j-r87h-p36x
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2026-27965
- FIX: vitessio/vitess@4c01732
- FIX: Restore: make loading compressor commands from
MANIFESTopt-in vitessio/vitess#19460 - REPORT: Bug Report: backup restore trusts decompressor in
MANIFESTby default vitessio/vitess#19459
Cross references:
- vitess.io/vitess appears in 4 other report(s):
- data/excluded/GO-2023-1769.yaml (x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-pqj7-jx24-wj7w #1769) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1717.yaml (x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-735r-hv67-g38f #1717)
- data/reports/GO-2024-2826.yaml (x/vulndb: potential Go vuln in github.com/vitessio/vitess: GHSA-649x-hxfx-57j2 #2826)
- data/reports/GO-2024-3306.yaml (x/vulndb: potential Go vuln in github.com/vitessio/vitess: CVE-2024-53257 #3306)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: vitess.io/vitess
vulnerable_at: 0.23.2
summary: |-
Vitess users with backup storage access can gain unauthorized access to
production deployment environments in vitess.io/vitess
cves:
- CVE-2026-27965
ghsas:
- GHSA-8g8j-r87h-p36x
references:
- advisory: https://github.com/advisories/GHSA-8g8j-r87h-p36x
- advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-27965
- fix: https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c
- fix: https://github.com/vitessio/vitess/pull/19460
- report: https://github.com/vitessio/vitess/issues/19459
source:
id: GHSA-8g8j-r87h-p36x
created: 2026-02-26T23:01:42.492134087Z
review_status: UNREVIEWED