Vitess Path Traversal via Backup Manifest Manipulation

Vitess is a database clustering system for horizontal scaling of MySQL. A core component of its reliability strategy is the backup and restore functionality managed by the builtinbackupengine. This engine handles the serialization of database states into storage backends (like AWS S3, Google Cloud Storage, or local mounts) and their subsequent restoration to vttablet instances.

The vulnerability, identified as CVE-2026-27969, resides in the logic responsible for interpreting the MANIFEST file during a restore operation. The MANIFEST is a metadata file that lists the objects contained within a backup and specifies where they should be placed on the local disk relative to the database root.

Due to a failure to sanitize the Name field within this manifest, the restoration process accepts relative path components (e.g., ../). This allows the restore routine to traverse outside the designated data directory. Consequently, the trust boundary is violated: the backup storage, which should only contain passive data, becomes a vector for active attacks against the database infrastructure.

The root cause of this vulnerability is the insecure usage of the path.Join function in Go when handling untrusted input from the backup manifest. The specific flaw is located in the fullPath method of the FileEntry structure within go/vt/mysqlctl/builtinbackupengine.go.

When Vitess performs a restore, it unmarshals the MANIFEST JSON file into FileEntry objects. Each entry contains a Name field representing the filename. The vulnerable code attempted to construct the absolute destination path by concatenating the base restore directory with this Name field using path.Join. While path.Join cleans paths by removing redundant separators, it does not prevent directory traversal if the resulting path is lexically valid.

Specifically, path.Join("/vt/data", "../../etc/passwd") resolves to /etc/passwd. The application failed to verify that the final resolved path remained rooted within the intended destination directory (e.g., /vt/data). This omission allows an attacker who controls the manifest to direct the file write operation to any location writable by the vttablet process.

The vulnerability exists in the fullPath method, which calculates where a file from the backup should be written. Below is the comparison between the vulnerable and patched implementations.

Vulnerable Implementation

In the original code, the Name field (derived directly from the JSON manifest) is passed to path.Join without prior validation. If fe.Name contains ../, it alters the directory hierarchy of the result.

// go/vt/mysqlctl/builtinbackupengine.go
 
func (fe *FileEntry) fullPath(cnf *Mycnf) (string, error) {
    // ... [root calculation logic] ...
    
    // VULNERABLE: path.Join resolves "../" but does not sandbox the path.
    // If fe.Name is "../../bin/malicious", the output escapes the root.
    return path.Join(fe.ParentPath, root, fe.Name), nil
}

Patched Implementation

The fix, introduced in commit c565cab615bc962bda061dcd645aa7506c59ca4a, replaces the standard path.Join with a proprietary fileutil.SafePathJoin. This utility function conceptually performs the join and then checks if the resulting path is a subdirectory of the intended base.

// go/vt/mysqlctl/builtinbackupengine.go
 
func (fe *FileEntry) fullPath(cnf *Mycnf) (string, error) {
    // ... [root calculation logic] ...
 
    // FIXED: SafePathJoin ensures the result is contained within the parent.
    // Returns an error if the path attempts to traverse upwards.
    return fileutil.SafePathJoin(path.Join(fe.ParentPath, root), fe.Name)
}

The patch effectively enforces a jail on the file extraction process. Any attempt to supply a path containing traversal sequences that resolve outside the root will now trigger a fileutil.ErrInvalidJoinedPath error, aborting the write operation.

Exploitation of CVE-2026-27969 requires a specific position in the network topology: write access to the backup storage. This is classified as PR:H (Privileges Required: High) in CVSS 4.0, as backup locations are typically restricted. However, in compromised cloud environments or environments with overly permissive S3 bucket policies, this becomes a viable attack vector.

Attack Workflow:

1. Reconnaissance: The attacker identifies the storage bucket or volume used by the target Vitess cluster for backups.
2. Manifest Retrieval: The attacker downloads a valid backup MANIFEST file from the storage.
3. Payload Injection: The attacker creates a malicious file (e.g., a reverse shell script or a modified authorized_keys file) and uploads it to the backup storage.
4. Manifest Tampering: The attacker modifies the MANIFEST JSON. They add a FileEntry where the Name attribute is set to a traversal path, such as ../../../../../../usr/local/bin/malicious_script, mapping it to the uploaded payload.
5. Trigger Restore: The attacker waits for an automated restore event or forces one (e.g., by crashing a tablet or triggering a new shard deployment).
6. Execution: As the vttablet initializes, it processes the manifest. The builtinbackupengine writes the payload to /usr/local/bin/malicious_script. The attacker then waits for the system or an administrator to execute the file, or overwrites a frequently executed cron job to gain immediate execution.

> [!NOTE] > This attack is particularly dangerous in containerized environments (Kubernetes), where overwriting shared binaries or volume mounts can allow lateral movement to the host node.

The impact of this vulnerability is critical, principally affecting the Integrity and Confidentiality of the host system running the vttablet process. While the CVSS score is 9.3, the actual operational risk depends on the privileges of the Vitess process.

Direct Consequences:

• Arbitrary File Write: Attackers can overwrite any file writable by the Vitess user. This often includes application configuration files, scripts, and potentially system binaries if the process runs as root (uncommon but possible in misconfigured containers).
• Remote Code Execution (RCE): By overwriting startup scripts, .ssh/authorized_keys, or cron jobs, an attacker can elevate the arbitrary file write into full code execution.
• Data Corruption: An attacker could overwrite valid database files or transaction logs with garbage data, causing persistent denial of service or data loss.

CVSS 4.0 Analysis:

The vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:H/SA:H highlights that while high privileges (access to backups) are required, the subsequent impact on the vulnerable system (Confidentiality and Integrity) is High. The attack complexity is Low once access is obtained.