CVE-2026-44374

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

CVE-2026-44374

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

EUVD-2026-30295

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

Backstage 安全漏洞

Backstage is an open-source application developed by Backstage. It serves as an open platform for building developer portals. Versions of Backstage prior to 0.6.11 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforceable permission checks for entity retrieval...

@vrabbi/backstage-devtools-wrapper (>=0.2.0 <=0.2.1) potentially affected by CVE-2026-44374 via @backstage/plugin-catalog-unprocessed-entities (=0.1.4)

@backstage/plugin-catalog-unprocessed-entities NPM version =0.1.4 is affected by a known vulnerability. The following packages have a transitive dependency on @backstage/plugin-catalog-unprocessed-entities and may be impacted: - @vrabbi/backstage-devtools-wrapper =0.2.0, =0.2.1 Source cves:...

Incorrect Authorization

Overview @backstage/plugin-catalog-backend-module-unprocessed is a Backstage Catalog module to view unprocessed entities Affected versions of this package are vulnerable to Incorrect Authorization in the unprocessed entities read endpoints. An attacker can gain unauthorized access to sensitive...

@backstage/plugin-catalog-backend-module-unprocessed (>=0.0.0-nightly-20240321021124 <=0.6.11-next.0), @backstage/plugin-catalog-unprocessed-entities (>=0.0.0-nightly-20251203024610 <=0.2.30-next.0) potentially affected by CVE-2026-44374 via @backstage/plugin-catalog-unprocessed-entities-common (>=0.0.0-nightly-20241116023418 <=0.0.15-next.0)

@backstage/plugin-catalog-unprocessed-entities-common NPM version =0.0.0-nightly-20241116023418, =0.0.0-nightly-20240321021124, =0.0.0-nightly-20251203024610, =0.2.30-next.0 Source cves: CVE-2026-44374 Source advisory: OSV:GHSA-P7G9-RP3G-MGFG...

GHSA-P7G9-RP3G-MGFG Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting...