{"schema_version":"1.3.1","id":"GO-2026-4570","modified":"2026-03-10T18:28:01Z","published":"2026-03-10T18:28:01Z","aliases":["CVE-2026-27969","GHSA-r492-hjgh-c9gw"],"summary":"Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess","details":"Vitess users with backup storage access can write to arbitrary file paths on restore in vitess.io/vitess","affected":[{"package":{"name":"vitess.io/vitess","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.22.4"},{"introduced":"0.23.0-rc1"},{"fixed":"0.23.3"}]}],"ecosystem_specific":{"imports":[{"path":"vitess.io/vitess/go/vt/mysqlctl","symbols":["FileEntry.fullPath"]}]}}],"references":[{"type":"ADVISORY","url":"https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw"},{"type":"WEB","url":"https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a"},{"type":"WEB","url":"https://github.com/vitessio/vitess/pull/19470"},{"type":"WEB","url":"https://owasp.org/www-community/attacks/Path_Traversal"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4570","review_status":"REVIEWED"}}