CVE-2023-29194

Vitess CVE-2023-29194 describes a logic flaw that allows creation of a keyspace containing a slash (/), which can cause VTAdmin (and in some references vtctldclient GetKeyspaces) to error when listing or viewing keyspaces. The underlying issue affects how keyspaces with a slash are handled and ma...

CVE-2023-29195

Vitess VTAdmin shard creation bug: before 16.0.2, VTAdmin could produce a shard name containing a "/" that caused subsequent shard creation attempts to fail and keyspace views to break. The issue is fixed in version 16.0.2 (go module v0.16.2). Workarounds include: use vtctldclient to create shard...

CVE-2026-27965

Vitess CVE-2026-27965 affects versions older than 23.0.3 and 22.0.4, where read/write access to backup storage (e.g., S3) lets an attacker modify backup manifest files and cause arbitrary code to run when the backup is restored, potentially gaining unauthorized access to production. A patch exist...

CVE-2026-27969

Vitess backup manifest path traversal vulnerability affecting read/write access to backup storage locations. Prior to versions 23.0.3 and 22.0.4, an attacker who can access the backup storage (e.g., S3 bucket) can manipulate manifest files so that files listed in the manifest, including themselve...