Pre-requisites:

• Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
• Somehow, manage to create an arbitrary file in Craft’s /storage/backups folder.

With those two pieces in place, you could create a specific, malicious request to the /updater/restore-db endpoint to execute CLI commands remotely.

Fixed in a19d46b

Reported by Marco O. (segfault)