Skip to main content

Backstage Plugin Scaffolder Backend CVE-2026-29184

LOW
Insertion of Sensitive Information into Log File (CWE-532)
2026-03-07 security-advisories@github.com GHSA-8qp7-fhr9-fw53
2.0
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.0 LOW
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 07, 2026 - 15:15 nvd
LOW 2.0

DescriptionGitHub Advisory

Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.

AnalysisAI

Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).

Technical ContextAI

This vulnerability (CWE-532: Insertion of Sensitive Information into Log File) affects Backstage is an open framework for building developer portals.. Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.

RemediationAI

Fixed in version 3.1.4.. Restrict network access to the affected service where possible.

Share

CVE-2026-29184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy