Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 npm packages depend on @backstage/plugin-catalog-unprocessed-entities-common (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.0.15.
DescriptionGitHub Advisory
Impact
The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module.
Patches
This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.
Workarounds
If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.
Analysis
Impact
The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module.
Patches
This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.
Workarounds
If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30295
GHSA-p7g9-rp3g-mgfg