CVE-2026-24046

EPSS 0.02%
Veröffentlicht 21.01.2026 22:36:30
Zuletzt bearbeitet 26.01.2026 15:04:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerbackstage

≫

Produkt backstage

Version @backstage/backend-defaults < 0.12.2

Status affected

Version @backstage/backend-defaults >= 0.13.0, < 0.13.2

Status affected

Version @backstage/backend-defaults >= 0.14.0, < 0.14.1

Status affected

Version @backstage/plugin-scaffolder-backend < 2.2.2

Status affected

Version @backstage/plugin-scaffolder-backend >= 3.0.0, < 3.0.2

Status affected

Version @backstage/plugin-scaffolder-backend >= 3.1.0, < 3.1.1

Status affected

Version @backstage/plugin-scaffolder-node < 0.11.2

Status affected

Version @backstage/plugin-scaffolder-node >= 0.12.0, < 0.12.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.052

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	1.8	4.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp

https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d

https://nvd.nist.gov/vuln/detail/CVE-2026-24046

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24046

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24046

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24046