Skip to main content

Backstage Plugin Scaffolder Backend CVE-2026-32237

MEDIUM
Information Exposure (CWE-200)
2026-03-12 security-advisories@github.com GHSA-8wq8-6859-qx77
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Red Hat
4.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 19:16 nvd
MEDIUM 4.4

DescriptionGitHub Advisory

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

AnalysisAI

Impact

Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload.

Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.

Patches

This is patched in @backstage/plugin-scaffolder-backend version 3.1.5

Workarounds

Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework.

References

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Vendor StatusVendor

Share

CVE-2026-32237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy