Skip to main content

Backstage CVE-2026-24046

HIGH
Path Traversal (CWE-22)
2026-01-21 security-advisories@github.com GHSA-rq6q-wr2q-7pgp
7.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
Red Hat
9.1 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 21, 2026 - 23:15 nvd
HIGH 7.1

DescriptionCVE.org

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets); delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend versions 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.

AnalysisAI

Backstage Scaffolder actions and archive extraction utilities are vulnerable to symlink-based path traversal attacks, allowing authenticated users with template creation privileges to read sensitive files, delete arbitrary files outside the workspace, or write malicious files via crafted symlinks in tar/zip archives. This affects deployments where users can create or execute Scaffolder templates, with no patch currently available for versions prior to @backstage/backend-defaults 0.12.2.

Technical ContextAI

Classified as CWE-22 (Path Traversal). Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets); delete arbitrary files via the fs:delete action by creating symlinks poin

Affected ProductsAI

Fixed in: @backstage/backend-defaults versions 0

RemediationAI

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-24046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy