Skip to main content

Red Hat CVE-2026-44374

| EUVDEUVD-2026-30295 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-06 https://github.com/backstage/backstage GHSA-p7g9-rp3g-mgfg
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
May 06, 2026 - 23:04 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on @backstage/plugin-catalog-unprocessed-entities-common (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.0.15.

DescriptionGitHub Advisory

Impact

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module.

Patches

This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.

Workarounds

If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.

Analysis

Impact

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module.

Patches

This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.

Workarounds

If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.

Vendor StatusVendor

Share

CVE-2026-44374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy