{"id":"GO-2026-4570","summary":"Vitess users with backup storage access can write to arbitrary file paths in vitess.io/vitess","details":"Vitess users with backup storage access can write to arbitrary file paths on restore in vitess.io/vitess","aliases":["CVE-2026-27969","GHSA-r492-hjgh-c9gw"],"modified":"2026-03-23T04:52:45.223538Z","published":"2026-03-10T18:28:01Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4570","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw"},{"type":"WEB","url":"https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a"},{"type":"WEB","url":"https://github.com/vitessio/vitess/pull/19470"},{"type":"WEB","url":"https://owasp.org/www-community/attacks/Path_Traversal"}],"affected":[{"package":{"name":"vitess.io/vitess","ecosystem":"Go","purl":"pkg:golang/vitess.io/vitess"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.22.4"},{"introduced":"0.23.0-rc1"},{"fixed":"0.23.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["FileEntry.fullPath"],"path":"vitess.io/vitess/go/vt/mysqlctl"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4570.json"}}],"schema_version":"1.7.5"}