CVE-2026-44374 Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

CVE-2026-44374 Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

@backstage/plugin-catalog-backend-module-unprocessed (>=0.0.0-nightly-20240321021124 <=0.6.11-next.0), @backstage/plugin-catalog-unprocessed-entities (>=0.0.0-nightly-20251203024610 <=0.2.30-next.0) potentially affected by CVE-2026-44374 via @backstage/plugin-catalog-unprocessed-entities-common (>=0.0.0-nightly-20241116023418 <=0.0.15-next.0)

@backstage/plugin-catalog-unprocessed-entities-common NPM version =0.0.0-nightly-20241116023418, =0.0.0-nightly-20240321021124, =0.0.0-nightly-20251203024610, =0.2.30-next.0 Source cves: CVE-2026-44374 Source advisory: OSV:GHSA-P7G9-RP3G-MGFG...

@backstage/backend-defaults (>=0.15.3-next.0 <=0.16.0-next.2), @backstage/backend-dynamic-feature-service (>=0.7.10-next.0 <=0.8.0-next.2) +70 more potentially affected by CVE-2026-29185 via @backstage/integration (>=1.21.0-next.0 <=2.0.0-next.2)

@backstage/integration NPM version =1.21.0-next.0, =0.15.3-next.0, =0.7.10-next.0, =1.11.1-next.0, =0.35.5-next.0, =0.5.9-next.0, =1.1.21-next.0, =0.15.1-next.0, =0.4.1-next.0, =0.5.1-next.0, =1.2.16-next.0, =0.13.5-next.0, =0.4.1-next.0, =0.3.8-next.0, =1.33.1-next.0, =3.5.0-next.0, =3.5.0-next....

CVE-2024-53983 Server-side request forgery in Backstage Scaffolder plugin

The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection SSTI can be exploited to perform Git config injection. The vulnerability allows an...

@aws/aws-config-catalog-module-for-backstage (>=0.1.0 <=0.2.0), @backstage-community/backstage-plugin-catalog-backend-module-mta-entity-provider (=0.3.0) +54 more potentially affected by CVE-2023-25571 via @backstage/plugin-catalog-backend (>=0.0.0-nightly-20220708025041 <=1.5.1)

@backstage/plugin-catalog-backend NPM version =0.0.0-nightly-20220708025041, =0.1.0, =0.4.0, =1.7.4, =1.0.3, =0.0.0-nightly-20240116021644, =0.0.0-nightly-20220219022334, =0.0.0-nightly-20220308022132, =0.0.0-nightly-20220311022539, =0.0.0-nightly-20220531024457, =0.0.0-nightly-20220810023539,...

PT-2023-20170 · Unknown · @Backstage/Plugin-Catalog-Backend +2

Name of the Vulnerable Software and Affected Versions: @backstage/catalog-model versions prior to 1.2.0 @backstage/core-components versions prior to 0.12.4 @backstage/plugin-catalog-backend versions prior to 1.7.2 Description: This issue allows a malicious actor with access to add or modify conte...

Path Traversal in @backstage/plugin-scaffolder-backend

Impact A malicious actor could read sensitive files from the environment where Scaffolder tasks are run. The attack is executed by crafting a custom Scaffolder template with a publish:github:pull-request action using a particular source path. When the template is executed the sensitive files woul...

GHSA-PVV8-8FX9-H673 Path Traversal in @backstage/plugin-scaffolder-backend

Impact A malicious actor could read sensitive files from the environment where Scaffolder tasks are run. The attack is executed by crafting a custom Scaffolder template with a publish:github:pull-request action using a particular source path. When the template is executed the sensitive files woul...