RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: VitessClear ×

Vitess

Storage & DataJun 24, 2026

Vitess v24.0.2 is a patch release combining two security hardening fixes (gRPC auth timing, twopcz value escaping) with a broad set of bug fixes across backup/restore, VReplication, vtgate, VTOrc, and connection pooling. No breaking API or config changes are stated.

  • securityTwo security hardening fixes: gRPC auth timing, twopcz reflected values

    Fixes for a timing side-channel in the static gRPC auth plugin's password comparison and a reflected-value escaping gap in the twopcz handler. Both apply unconditionally; upgrade to v24.0.2 if you run gRPC static auth or expose the twopcz endpoint.

Key changes (7)
  • servenv: static gRPC auth plugin now uses constant-time password comparison, closing a timing side-channel.
  • tabletserver: twopcz handler now escapes reflected form values, closing a reflected-injection gap.
  • smartconnpool: multiple fixes covering MaxLifetime jitter, refresh worker persistence after reopen, idle reopen stalls, close deadlocks, Setting preservation, and rejecting SetCapacity on a closed pool.
  • VTOrc: fixed a deadlock between PrimaryIsReadOnly recovery and PrimarySemiSyncBlocked, plus a gauge reset for resolved errant GTIDs.
  • VReplication/vtgate: fixed a vstream StopOnReshard hang on reshard convergence, stale healthcheck updates from replaced tablets, and DECIMAL JSON leading-zero handling in binlog decoding.
  • vtgate: Filter streaming path now uses ToBoolean() for correct results, and prepared statements in OLAP/streaming mode get specialized plans.
  • Plus about six smaller fixes: mysqlctl remote shutdown timeout propagation, backup lastErr clearing, keyspaceState leak in discovery, etcd2topo lock-cleanup RPC bounding, and vttablet Stream schema clobbering.
Source

Vitess

Storage & DataJun 24, 2026

v23.0.5 is a bug-fix rollup with two medium-severity security hardening fixes. Changes span connection pooling, query planning, VReplication, VTOrc, topology, and backup/restore, with no API, config, or default changes.

  • securityTiming-safe password comparison in static gRPC auth plugin

    The static gRPC auth plugin now uses constant-time comparison for passwords, closing a potential timing-based credential leak. Applies to all deployments using static gRPC authentication.

  • securityReflected-input escaping in twopcz handler

    The twopcz debug handler now escapes reflected form values, preventing reflected input injection. Applies to any deployment where the twopcz handler endpoint is reachable.

Key changes (7)
  • Two medium-severity security fixes: constant-time password comparison in the static gRPC auth plugin and reflected-input escaping in the twopcz handler.
  • smartconnpool fixes several connection lifecycle bugs: expired waiters receiving returned connections, MaxLifetime jitter, refresh worker loss after reopen, idle reopen stalls, close deadlocks, and rejection of SetCapacity on a closed pool.
  • VTOrc resolves a data race in forgetAliases cache initialization, a deadlock between PrimaryIsReadOnly recovery and PrimarySemiSyncBlocked, and incorrect persistence of the CurrentErrantGTIDCount gauge after errant GTIDs are resolved.
  • VReplication binlog handling now correctly preserves leading zeroes and trims leading zeroes for DECIMAL JSON values (e.g. 0.1) that a prior fix missed.
  • VTGate planner corrects merged DML IN/NOT IN subquery substitution via ListArg placeholder; the Filter streaming path now uses ToBoolean() correctly and builds specialized plans for prepared statements in OLAP/streaming mode.
  • vstream StopOnReshard hang on reshard convergence is fixed; stale healthcheck updates from a replaced tablet's canceled connection check are dropped.
  • Additional fixes: mysqlctl remote shutdown timeout propagation, keyspaceState leak in Discovery, etcd2topo unbounded lock-acquisition cleanup RPCs, and vttablet Stream schema clobbering for non-keyspace fields.
Source

Vitess

Storage & DataMay 7, 2026

v23.0.4 is a stability-focused patch release fixing multiple panics in VTOrc, VTGate, and ERS, plus critical VReplication and routing rule bugs that could silently misdirect traffic.

  • securityGo upgraded to 1.25.9 — check your custom builds

    The Go runtime was bumped from 1.25.8 to 1.25.9 within this release cycle. If you build Vitess from source or maintain custom images, rebuild against go1.25.9 to pick up any runtime-level fixes included in that Go patch release.

  • breakingUpgrade immediately if you use ERS or semi-sync replication

    Three separate ERS bugs were fixed: nil pointer panics during errant GTID detection, broken cancellation logic, and IO threads not restarting on replicas after ERS failure. Any of these can leave your cluster in a degraded state after a failover. If you run semi-sync with VTOrc, the ReplicationStopped + PrimarySemiSyncBlocked deadlock fix is equally critical — it could stall recovery entirely. Upgrade before your next planned maintenance window at the latest.

  • enhancementRouting rule and schema-tracker fix affects multi-keyspace setups

    VTGate was not rebuilding routing rules after schema-tracker updates, and was dropping the target keyspace during routing rule AST rewrites. Both are silent bugs — queries appear to work but may land on the wrong keyspace. If you use routing rules with multiple keyspaces, validate query routing behavior after upgrading to confirm traffic is going where you expect.

Key changes (5)
  • Fixed panic in VTOrc when handling ReplicationStopped + PrimarySemiSyncBlocked recovery simultaneously — a deadlock risk in HA scenarios
  • EmergencyReparentShard (ERS) fixes: nil pointer panic in errant GTID detection, broken cancellation in reparentReplicas(), and IO thread restart failures after ERS failure
  • VTGate: routing rules now correctly rebuild after schema-tracker updates, and target keyspace is preserved when routing rules rewrite table AST — both are silent correctness bugs
  • VTGate: buffer no longer restarts after shutdown, preventing potential connection storms during controlled restarts
  • Go runtime upgraded to go1.25.9, and vitessdriver now correctly returns string for binary result values (regression fix)
Source

Vitess

Storage & DataApr 30, 2026

Vitess v24 ships structured JSON logging by default, window function pushdown for sharded keyspaces, OpenTelemetry tracing, and a security fix for backup manifest command injection. 460 PRs merged.

  • securityBackup MANIFEST command injection is now blocked by default

    Prior to v24, an attacker with write access to backup storage could modify the MANIFEST file to inject arbitrary shell commands that VTTablet would execute during restore. This is now blocked — the MANIFEST decompressor field is ignored unless you explicitly pass --external-decompressor-use-manifest. If you're on v23 or earlier, treat backup storage access controls as a security boundary and audit who can write to it.

  • breakingAudit backup restore configs for MANIFEST decompressor

    If your VTTablet restore process relied on the decompressor command stored in backup MANIFESTs (i.e., you never set --external-decompressor but backups still decompressed), restores will silently skip decompression in v24 and likely fail. Add --external-decompressor-use-manifest to your VTTablet config to preserve old behavior, but read the security advisory first: a compromised backup store could execute arbitrary commands on your tablet. Evaluate whether you actually need this or can pass --external-decompressor explicitly instead.

  • breakingRemove deprecated VTOrc API endpoint and metric references

    The /api/replication-analysis endpoint returns 404 in v24 — any monitoring scripts, Grafana dashboards, or alerting rules hitting that URL will break silently or with errors. Switch to /api/detection-analysis (same params, same response format). Also replace DiscoverInstanceTimings with DiscoveryInstanceTimings in dashboards. Do this before deploying v24 to production.

  • enhancementMigrate tracing to OpenTelemetry now, not in v25

    opentracing-jaeger and opentracing-datadog are deprecated in v24 and will be removed in v25. The migration is straightforward: replace --tracer opentracing-jaeger with --tracer opentelemetry, and swap --jaeger-agent-host host:port for --otel-endpoint host:4317. Jaeger v1.35+ accepts OTLP on port 4317 by default. Datadog users should point to the Agent's OTLP ingestion endpoint. Do this upgrade cycle, not the next one.

  • enhancementAdd --cell flag to VTOrc now

    --cell is optional in v24 but becomes required in v25. Multi-cell deployments especially should add it now — startup validation against the topology will catch misconfiguration early, and it unblocks future cross-cell recovery logic in VTOrc. One flag, no downtime, avoids a forced change next release.

Key changes (6)
  • Structured JSON logging is now the default (--log-format=text for human-readable; glog deprecated, removed in v25)
  • Window functions can now push down to shards when PARTITION BY matches a unique vindex — no more forced single-shard routing
  • External decompressor command from backup MANIFEST is ignored by default (security fix); opt-in required via --external-decompressor-use-manifest
  • OpenTracing backends (jaeger, datadog) deprecated; migrate to --tracer opentelemetry before v25
  • VTOrc /api/replication-analysis endpoint and DiscoverInstanceTimings metric removed — update dashboards and scripts now
  • --grpc-send-session-in-streaming flag removed from VTGate; session is always sent in streaming responses
Source

Vitess

Storage & DataFeb 27, 2026

Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

Key changes (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
Source

Vitess

Storage & DataFeb 27, 2026

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

Key changes (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
Source