Description
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.
Published: 2026-03-07
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to SCM provider APIs using server-side credentials
Action: Apply Patch
AI Analysis

Impact

Prior to version 1.20.1, Backstage’s SCM URL parsing allowed encoded path traversal sequences to be embedded in file paths. When these URLs were processed by integration functions that build API requests, the traversal segments redirected requests to unintended SCM provider API endpoints while still authenticating with the configured server-side integration credentials. This flaw is a classic directory traversal vulnerability (CWE‑22) that can lead to unauthorized API access or data exposure.

Affected Systems

Backstage open‑source framework backed by the Linux Foundation. All installations of backstage:backstage older than 1.20.1 are affected. The vulnerability is tied to the integration components that construct API URLs from SCM URLs.

Risk and Exploitability

The CVSS score is 2.7, indicating a low severity overall. The EPSS score is less than 1%, showing a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker would need to supply a crafted SCM URL that contains encoded path traversal sequences. While the attack vector is inferred to involve passing a malicious URL to the integration layer, no external access vector is explicitly documented in the input.

Generated by OpenCVE AI on April 16, 2026 at 10:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Backstage to version 1.20.1 or newer, which removes the path traversal handling error.
  • Validate all SCM URLs before passing them to integration functions, ensuring no encoded traversal sequences reach the API construction logic.
  • Limit the scopes of integration credentials and monitor API calls to detect any anomalous requests to SCM provider endpoints.

Generated by OpenCVE AI on April 16, 2026 at 10:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95v5-prp4-5gv5 Backstage vulnerable to potential reading of SCM URLs using built in token
History

Thu, 09 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation \@backstage\/integration
CPEs cpe:2.3:a:linuxfoundation:\@backstage\/integration:*:*:*:*:*:node.js:*:*
Vendors & Products Linuxfoundation
Linuxfoundation \@backstage\/integration

Tue, 10 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Sat, 07 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.
Title @backstage/integration: Potential reading of SCM URLs using built in token
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Backstage Backstage
Linuxfoundation \@backstage\/integration
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:24:16.756Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29185

cve-icon Vulnrichment

Updated: 2026-03-09T20:15:45.383Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T15:15:55.240

Modified: 2026-04-09T18:29:39.100

Link: CVE-2026-29185

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-07T15:02:04Z

Links: CVE-2026-29185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses