GHSA-8QP7-FHR9-FW53
Vulnerability from github – Published: 2026-03-05 00:23 – Updated: 2026-03-09 15:46
VLAI?
Summary
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass
Details
Impact
A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.
The attack requires: - The ability to register a template in the catalog - A victim who executes the malicious template
Patches
Patched in @backstage/plugin-scaffolder-backend version 3.1.4
Workarounds
- Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
- Restrict who can register templates in the catalog to trusted users only
Resources
- Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/
- Backstage Threat Model: https://backstage.io/docs/overview/threat-model/
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3"
},
"package": {
"ecosystem": "npm",
"name": "@backstage/plugin-scaffolder-backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29184"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T00:23:51Z",
"nvd_published_at": "2026-03-07T15:15:55Z",
"severity": "LOW"
},
"details": "### Impact\n\nA malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.\n\nThe attack requires:\n - The ability to register a template in the catalog\n - A victim who executes the malicious template\n\n### Patches\n Patched in `@backstage/plugin-scaffolder-backend` version 3.1.4\n\n### Workarounds\n - Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs\n - Restrict who can register templates in the catalog to trusted users only\n\n### Resources\n - Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/\n - Backstage Threat Model: https://backstage.io/docs/overview/threat-model/",
"id": "GHSA-8qp7-fhr9-fw53",
"modified": "2026-03-09T15:46:58Z",
"published": "2026-03-05T00:23:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29184"
},
{
"type": "WEB",
"url": "https://backstage.io/docs/overview/threat-model"
},
{
"type": "WEB",
"url": "https://backstage.io/docs/permissions/plugin-authors/01-setup"
},
{
"type": "PACKAGE",
"url": "https://github.com/backstage/backstage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…