Description
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
Published: 2026-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Path traversal allowing arbitrary file read, delete, and write
Action: Patch Immediately
AI Analysis

Impact

Backstage, an open framework for developer portals, has a flaw in several scaffolder actions and its archive extraction utilities that allows symlink-based path traversal. An attacker that can create and run scaffolder templates can supply files that point to arbitrary locations on the host filesystem, leading to unauthorized reading, deletion, or creation of files outside the intended workspace.

Affected Systems

Affected deployments include any Backstage instance that permits users to create or execute scaffolder templates. The issue was fixed in specific package versions: @backstage/backend-defaults 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node 0.11.2 and 0.12.3. Versions older than these are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity; the EPSS score of less than 1% suggests low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to craft templates, but once achieved the attacker can read sensitive files such as /etc/passwd, delete arbitrary files, or write files outside the workspace through archive extraction containing malicious symlinks.

Generated by OpenCVE AI on April 18, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched versions of @backstage/backend-defaults, @backstage/plugin-scaffolder-backend, and @backstage/plugin-scaffolder-node.
  • Restrict permissions so that only trusted users can create or update scaffolder templates using the Backstage permissions framework.
  • Audit existing templates for symlink usage to identify and remediate malicious or vulnerable links.
  • Run Backstage in a containerized environment with limited filesystem access to contain potential traversal attacks.

Generated by OpenCVE AI on April 18, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rq6q-wr2q-7pgp Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
Title Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Backstage Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:11.684Z

Reserved: 2026-01-20T22:30:11.777Z

Link: CVE-2026-24046

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:22.979Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T23:15:53.240

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24046

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-21T22:36:30Z

Links: CVE-2026-24046 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses