x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-r492-hjgh-c9gw

[GoVulnBot]

Advisory GHSA-r492-hjgh-c9gw references a vulnerability in the following Go modules:

Module
vitess.io/vitess

Description:

Impact

Anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common Path Traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as w...

References:

• ADVISORY: GHSA-r492-hjgh-c9gw
• ADVISORY: GHSA-r492-hjgh-c9gw
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2026-27969
• FIX: vitessio/vitess@c565cab
• FIX: backupengine: disallow path traversals via backup MANIFEST on restore vitessio/vitess#19470
• WEB: https://owasp.org/www-community/attacks/Path_Traversal

Cross references:

• vitess.io/vitess appears in 4 other report(s):
  • data/excluded/GO-2023-1769.yaml (x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-pqj7-jx24-wj7w #1769) EFFECTIVELY_PRIVATE
  • data/reports/GO-2023-1717.yaml (x/vulndb: potential Go vuln in vitess.io/vitess: GHSA-735r-hv67-g38f #1717)
  • data/reports/GO-2024-2826.yaml (x/vulndb: potential Go vuln in github.com/vitessio/vitess: GHSA-649x-hxfx-57j2 #2826)
  • data/reports/GO-2024-3306.yaml (x/vulndb: potential Go vuln in github.com/vitessio/vitess: CVE-2024-53257 #3306)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: vitess.io/vitess
      versions:
        - fixed: 0.22.4
        - introduced: 0.23.0-rc1
        - fixed: 0.23.3
      vulnerable_at: 0.23.2
summary: |-
    Vitess users with backup storage access can write to arbitrary file paths on
    restore in vitess.io/vitess
cves:
    - CVE-2026-27969
ghsas:
    - GHSA-r492-hjgh-c9gw
references:
    - advisory: https://github.com/advisories/GHSA-r492-hjgh-c9gw
    - advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-27969
    - fix: https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a
    - fix: https://github.com/vitessio/vitess/pull/19470
    - web: https://owasp.org/www-community/attacks/Path_Traversal
source:
    id: GHSA-r492-hjgh-c9gw
    created: 2026-02-27T17:01:37.651054938Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/751500 mentions this issue: data/reports: add 27 reports