What is CVE-2023-29195?

### Impact Users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. ### Patches v16.0.2, corresponding to [0.16.2 on pkg.go.dev](https://pkg.go.dev/vitess.io/vitess@v0.16.2) ### Workarounds - Always use `vtctldclient` to create shards, instead of using VTAdmin - Disable creating shards from VTAdmin using RBAC - Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called `a/b` in keyspace `commerce`, and you are running etcd, it can be deleted by doing something like ``` % etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard ``` ### References https://github.com/vitessio/vitess/issues/12842 Found during a security audit sponsored by the [CNCF](https://cncf.io) and facilitated by [OSTIF](https://ostif.org).

What is the severity of CVE-2023-29195?

CVE-2023-29195 has a CVSS v3 score of 4.3, which is classified as Medium severity.

Is there an exploit available for CVE-2023-29195?

No known public exploits are currently available for CVE-2023-29195.

Is there a patch available for CVE-2023-29195?

Yes, patches are available for CVE-2023-29195. Check the vendor advisories for update instructions.

CVE-2023-29195

Published: June 1, 2026

Last updated:1 day ago (June 1, 2026)

Exploit: NoZero-day: NoPatch: YesTrend: Neutral

TL;DR

Updated June 1, 2026

CVE-2023-29195 is a medium severity vulnerability with a CVSS score of 4.3. No known exploits currently, and patches are available.

Key Points

1Medium severity (CVSS 4.3/10)
2EPSS: 1.00% - moderate likelihood of exploitation
3No known public exploits
4Vendor patches are available
5Strobes Priority Score: 185/1000 (Low)
6Affects products from: Linuxfoundation

Test this CVE with Agentic AI

Deploy autonomous AI agents to validate this vulnerability in your environment.

Severity Scores

CVSS v34.3

CVSS v20.0

Priority Score185.0

EPSS Score1.0

Medium

Exploitation LikelihoodLow

1.00%EPSS

Lower probability of exploitation

Patch during regular maintenance

1.00%

EPSS

4.3

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.

Patches

v16.0.2, corresponding to 0.16.2 on pkg.go.dev

Workarounds

Always use vtctldclient to create shards, instead of using VTAdmin
Disable creating shards from VTAdmin using RBAC
Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called a/b in keyspace commerce, and you are running etcd, it can be deleted by doing something like

% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard

References

https://github.com/vitessio/vitess/issues/12842

Found during a security audit sponsored by the CNCF and facilitated by OSTIF.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:Local

Patch References

Github.com Github.com Security [email protected]Security [email protected]Security [email protected]

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Linuxfoundation	Vitess

Advisories

GitHub Advisory

Msrc:

NVD

Cite This Page

APA Format

Strobes VI. (2026). CVE-2023-29195 - CVE Details and Analysis. Strobes VI. Retrieved June 2, 2026, from https://vi.strobes.co/cve/CVE-2023-29195

Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.

Impact

Patches

v16.0.2, corresponding to 0.16.2 on pkg.go.dev

Workarounds

Always use vtctldclient to create shards, instead of using VTAdmin
Disable creating shards from VTAdmin using RBAC
Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called a/b in keyspace commerce, and you are running etcd, it can be deleted by doing something like

% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard

References

https://github.com/vitessio/vitess/issues/12842

Found during a security audit sponsored by the CNCF and facilitated by OSTIF.

Vendor

Product

Linuxfoundation

Vitess

CVE-2023-29195

Impact

Patches

Workarounds

References

Ready for Agentic Automated Testing?

CVE-2023-29195

Impact

Patches

Workarounds

References