CVE-2026-24046
📋 TL;DR
This CVE describes a symlink-based path traversal vulnerability in Backstage's Scaffolder component. Attackers with template creation/execution privileges can exploit symlinks to read, delete, or write arbitrary files on the filesystem. This affects any Backstage deployment where users can create or execute Scaffolder templates.
💻 Affected Systems
- Backstage
- @backstage/backend-defaults
- @backstage/plugin-scaffolder-backend
- @backstage/plugin-scaffolder-node
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via reading sensitive files (secrets, configs), deleting critical system files, or writing malicious files to sensitive locations.
Likely Case
Unauthorized access to sensitive configuration files, secrets, or user data stored on the filesystem.
If Mitigated
Limited impact if proper access controls restrict template creation/execution to trusted users only.
🎯 Exploit Status
Exploitation requires authenticated access with template creation/execution permissions. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @backstage/backend-defaults 0.12.2, 0.13.2, 0.14.1, 0.15.0 or later; @backstage/plugin-scaffolder-backend 2.2.2, 3.0.2, 3.1.1 or later; @backstage/plugin-scaffolder-node 0.11.2, 0.12.3 or later
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
Restart Required: Yes
Instructions:
1. Update affected packages to patched versions using npm/yarn. 2. Restart Backstage services. 3. Verify no regressions in template functionality.
🔧 Temporary Workarounds
Restrict template permissions
allLimit who can create and execute Scaffolder templates using Backstage's permissions framework
Configure Backstage permission policies to restrict template operations
Container isolation
linuxRun Backstage in containerized environment with limited filesystem access
docker run -v /safe/path:/app --read-only ...
🧯 If You Can't Patch
- Implement strict access controls to limit who can create/execute Scaffolder templates
- Audit existing templates for symlink usage and remove suspicious templates
- Run Backstage with minimal filesystem permissions in isolated container
🔍 How to Verify
Check if Vulnerable:
Check package.json for affected package versions: @backstage/backend-defaults <0.12.2, <0.13.2, <0.14.1, <0.15.0; @backstage/plugin-scaffolder-backend <2.2.2, <3.0.2, <3.1.1; @backstage/plugin-scaffolder-node <0.11.2, <0.12.3Check Version:
npm list @backstage/backend-defaults @backstage/plugin-scaffolder-backend @backstage/plugin-scaffolder-nodeVerify Fix Applied:
Verify updated packages show patched versions in package.json and node_modules📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via Scaffolder actions
- Template execution accessing paths outside workspace
- Symlink creation in template operations
Network Indicators:
- N/A - local filesystem exploitation
SIEM Query:
source="backstage" AND (action="debug:log" OR action="fs:delete") AND path CONTAINS "/etc/" OR path CONTAINS "/root/" OR path CONTAINS ".."