CVE-2026-29186
📋 TL;DR
This CVE describes a configuration bypass vulnerability in Backstage's TechDocs plugin that allows arbitrary Python code execution. Attackers can craft malicious mkdocs.yml files to bypass security controls and execute arbitrary code during documentation builds. This affects all Backstage instances using vulnerable versions of the @backstage/plugin-techdocs-node package.
💻 Affected Systems
- Backstage
- @backstage/plugin-techdocs-node
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary Python code with the privileges of the TechDocs build process, potentially leading to data theft, lateral movement, or persistent backdoors.
Likely Case
Attackers with access to modify documentation configurations can execute arbitrary code to steal sensitive data, compromise the build environment, or pivot to other systems.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the TechDocs build environment, though code execution still poses significant risk.
🎯 Exploit Status
Exploitation requires ability to modify mkdocs.yml configuration files. The vulnerability bypasses existing security controls through a gap in the allowlist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.3
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw
Restart Required: Yes
Instructions:
1. Update Backstage to version 1.14.3 or later. 2. Update @backstage/plugin-techdocs-node to latest version. 3. Restart Backstage application. 4. Verify TechDocs builds function correctly.
🔧 Temporary Workarounds
Disable TechDocs builds
allTemporarily disable TechDocs documentation builds to prevent exploitation
Set techdocs.builder to 'local' in app-config.yaml or disable TechDocs plugin
Restrict mkdocs.yml modifications
allImplement strict access controls on who can modify mkdocs.yml files
🧯 If You Can't Patch
- Implement strict access controls on mkdocs.yml file modifications
- Isolate TechDocs build environment with network segmentation and minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check package.json for @backstage/plugin-techdocs-node version. If version is <1.14.3, system is vulnerable.Check Version:
npm list @backstage/plugin-techdocs-nodeVerify Fix Applied:
Verify @backstage/plugin-techdocs-node version is 1.14.3 or later in package.json and TechDocs builds function normally.📡 Detection & Monitoring
Log Indicators:
- Unusual Python process execution during TechDocs builds
- Errors in TechDocs build logs indicating configuration parsing issues
- Unexpected mkdocs.yml modifications
Network Indicators:
- Unusual outbound connections from TechDocs build process
- Suspicious Python package downloads during builds
SIEM Query:
source="backstage" AND ("techdocs" OR "mkdocs") AND ("python" OR "exec" OR "malicious")