Description
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
Published: 2026-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Workaround
AI Analysis

Impact

A flaw in the Orchestrator Plugin of Red Hat Developer Hub allows an authenticated user to inject malicious input into GraphQL queries. Because the plugin performs insufficient input validation, the crafted request disrupts backend query processing, causing the entire Backstage application to crash and restart. As a result, legitimate users experience a platform‑wide denial of service for the duration of the restart cycle.

Affected Systems

The vulnerability affects Red Hat Developer Hub (Backstage). No specific product version information is provided in the public data, so all deployments of the Red Hat Developer Hub that include the Orchestrator Plugin are potentially impacted.

Risk and Exploitability

The CVSS Base score is 6.5, denoting a medium severity vulnerability, while the EPSS score is reported as less than 1 %, indicating a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation appears to require an attacker with valid credentials capable of accessing the GraphQL API; the attack pattern is based on authenticated exploitation. Although the exploit is not currently widespread, the impact of each successful attack is significant because it brings down the entire platform.

Generated by OpenCVE AI on April 16, 2026 at 16:13 UTC.

Remediation

Vendor Workaround

To mitigate this issue, restrict network access to the Red Hat Developer Hub instance to trusted users and networks only. This limits the exposure of the vulnerable Orchestrator Plugin to unauthorized access.

OpenCVE Recommended Actions

  • Restrict network access to the Red Hat Developer Hub instance to trusted users and networks only.
  • Monitor the platform for unexpected crashes or restart events that may indicate an attempt to exploit the GraphQL injection flaw.
  • Review future Red Hat releases for fixes that strengthen GraphQL input validation and plan to upgrade when available.

Generated by OpenCVE AI on April 16, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhdh:1 cpe:/a:redhat:rhdh:1.8::el9
References

Fri, 27 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:developer_hub:-:*:*:*:*:*:*:*

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat developer Hub
Vendors & Products Redhat developer Hub

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
Title Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin
First Time appeared Redhat
Redhat rhdh
Weaknesses CWE-89
CPEs cpe:/a:redhat:rhdh:1
Vendors & Products Redhat
Redhat rhdh
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Developer Hub Rhdh
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T19:38:34.502Z

Reserved: 2026-02-24T12:08:32.734Z

Link: CVE-2026-3118

cve-icon Vulnrichment

Updated: 2026-02-25T16:28:50.268Z

cve-icon NVD

Status : Modified

Published: 2026-02-25T12:16:17.957

Modified: 2026-04-22T20:16:41.630

Link: CVE-2026-3118

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T00:00:00Z

Links: CVE-2026-3118 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses