Skip to main content

Red Hat CVE-2026-24047

MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-01-21 security-advisories@github.com GHSA-2p49-45hj-7mc9
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
6.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 21, 2026 - 23:15 nvd
MEDIUM 6.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 115 npm packages depend on @backstage/cli-common (8 direct, 107 indirect)

Ecosystem-wide dependent count for version 0.1.17.

DescriptionGitHub Advisory

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.

AnalysisAI

The resolveSafeChildPath function in Backstage's backend-plugin-api prior to version 0.1.17 improperly validates symlink chains and dangling symlinks, allowing authenticated attackers to bypass path traversal protections used by Scaffolder actions and other backend components. An attacker with low privileges could exploit this to access files outside the intended directory boundaries by chaining intermediate symlinks or creating symlinks pointing to non-existent paths that are later materialized during file operations. This affects Backstage installations relying on the vulnerable path validation function for security isolation.

Technical ContextAI

This vulnerability (CWE-59: Improper Link Resolution Before File Access) affects backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage.. Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /

Affected ProductsAI

Product: backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage.. Versions: up to 0.1.17.

RemediationAI

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-24047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy