FKIE_CVE-2026-24046

Vulnerability from fkie_nvd - Published: 2026-01-21 23:15 - Updated: 2026-01-26 15:04
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
Summary
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
References
security-advisories@github.comhttps://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
security-advisories@github.comhttps://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access."
    },
    {
      "lang": "es",
      "value": "Backstage es un framework abierto para construir portales de desarrolladores. M\u00faltiples acciones de Scaffolder y utilidades de extracci\u00f3n de archivos eran vulnerables a ataques de salto de ruta basados en symlinks. Un atacante con acceso para crear y ejecutar plantillas de Scaffolder podr\u00eda explotar symlinks para leer archivos arbitrarios a trav\u00e9s de la acci\u00f3n debug:log creando un symlink que apunte a archivos sensibles (p. ej., /etc /passwd, archivos de configuraci\u00f3n, secretos); eliminar archivos arbitrarios a trav\u00e9s de la acci\u00f3n fs:delete creando symlinks que apunten fuera del espacio de trabajo, y escribir archivos fuera del espacio de trabajo a trav\u00e9s de la extracci\u00f3n de archivos (tar/zip) que contengan symlinks maliciosos. Esto afecta a cualquier implementaci\u00f3n de Backstage donde los usuarios puedan crear o ejecutar plantillas de Scaffolder. Esta vulnerabilidad est\u00e1 corregida en las versiones 0.12.2, 0.13.2, 0.14.1 y 0.15.0 de @backstage/backend-defaults; las versiones 2.2.2, 3.0.2 y 3.1.1 de @backstage/plugin-scaffolder-backend; y las versiones 0.11.2 y 0.12.3 de @backstage/plugin-scaffolder-node. Los usuarios deben actualizar a estas versiones o posteriores. Hay algunas soluciones alternativas disponibles. Siga la recomendaci\u00f3n en el Modelo de Amenazas de Backstage para limitar el acceso a la creaci\u00f3n y actualizaci\u00f3n de plantillas, restringir qui\u00e9n puede crear y ejecutar plantillas de Scaffolder utilizando el framework de permisos, auditar las plantillas existentes en busca de uso de symlinks, y/o ejecutar Backstage en un entorno en contenedores con acceso limitado al sistema de archivos."
    }
  ],
  "id": "CVE-2026-24046",
  "lastModified": "2026-01-26T15:04:59.737",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T23:15:53.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.