Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting...

Incorrect Authorization

Overview @backstage/plugin-catalog-backend-module-unprocessed is a Backstage Catalog module to view unprocessed entities Affected versions of this package are vulnerable to Incorrect Authorization in the unprocessed entities read endpoints. An attacker can gain unauthorized access to sensitive...

PT-2026-38311

Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting...

MAL-2026-1657 Malicious code in backstage-plugin-wpe-catalog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ba337d37ef9344a2df43beb88ffec3f1061cba440eb4c4ed69798da6f3122b5 The package backstage-plugin-wpe-catalog was found to contain malicious code...

Malicious code in backstage-plugin-wpe-catalog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ba337d37ef9344a2df43beb88ffec3f1061cba440eb4c4ed69798da6f3122b5 The package backstage-plugin-wpe-catalog was found to contain malicious code...

CVE-2026-32235

An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass th...

CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

EUVD-2026-11675

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint...

@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.22.11), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.14-next.1) +7 more potentially affected by CVE-2026-32236 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.27.1-next.2)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =1.0.0, =1.2.0 -...

EUVD-2026-11673

@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch...

GHSA-QP4C-XG64-7C6X @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Impact A Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid hostname against private IP ranges but does not apply the same validation...

@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Impact A Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid hostname against private IP ranges but does not apply the same validation...

Server-side Request Forgery (SSRF)

Overview @backstage/plugin-auth-backend is an A Backstage backend plugin that handles authentication Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the CIMD metadata fetch when the auth.experimentalClientIdMetadataDocuments.enabled setting is enabled. An...

EUVD-2026-11671

@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass...

GHSA-WQVH-63MV-9W92 @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

Impact The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafte...

@secustor/backstage-plugin-renovate-backend-module-runtime-direct (>=4.0.0 <=4.0.2), renovate-mcp (=0.11.0) potentially affected by unknown CVE via renovate (>=43.118.0 <=43.46.0)

renovate NPM version =43.118.0, =4.0.0, =4.0.2 - renovate-mcp =0.11.0 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-15282784...

@secustor/backstage-plugin-renovate-backend-module-runtime-direct (>=4.0.0 <=4.0.2), renovate-mcp (=0.11.0) potentially affected by unknown CVE via renovate (>=43.118.0 <=43.46.0)

renovate NPM version =43.118.0, =4.0.0, =4.0.2 - renovate-mcp =0.11.0 Source cves: unknown CVE Source advisory: OSV:GHSA-8WC6-VGRQ-X6CF...

@jamietanna/renovate-graph (=0.36.0), @secustor/backstage-plugin-renovate-backend-module-runtime-direct (=3.1.1) potentially affected by unknown CVE via renovate (>=42.92.4 <=42.92.5)

renovate NPM version =42.92.4, =42.92.5 is affected by a known vulnerability. The following packages have a transitive dependency on renovate and may be impacted: - @jamietanna/renovate-graph =0.36.0 - @secustor/backstage-plugin-renovate-backend-module-runtime-direct =3.1.1 Source cves: unknown C...