Skip to main content

Backstage Plugin Scaffolder Backend

2 CVEs product

Monthly

CVE-2026-32237 npm MEDIUM PATCH This Month

### Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. ### Patches This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5 ### Workarounds Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework. ### References - [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)

Information Disclosure Backstage Plugin Scaffolder Backend
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-29184 npm LOW PATCH Monitor

Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).

Authentication Bypass Backstage Plugin Scaffolder Backend
NVD GitHub
CVSS 3.1
2.0
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

### Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. ### Patches This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5 ### Workarounds Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework. ### References - [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)

Information Disclosure Backstage Plugin Scaffolder Backend
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).

Authentication Bypass Backstage Plugin Scaffolder Backend
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy