Description
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.
Published: 2026-03-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Backstage is an open framework for building developer portals. Prior to version 3.1.5, an authenticated user with permission to execute scaffolder dry‑runs can gain access to server‑configured environment secrets via the dry‑run API response; the payload does not fully redact secrets, which can expose sensitive data. This flaw represents a information disclosure weakness (CWE‑200) and a related data handling issue (CWE‑497).

Affected Systems

The affected product is @backstage:plugin-scaffolder-backend. All deployments using a version prior to 3.1.5 that have configured scaffolder.defaultEnvironment.secrets are impacted. The common platform enumeration string for the affected platform is cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*.*

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploit requires authentication and permission to run dry‑runs, and is limited to the specific configured environment secrets of the deployment. The official fix is included in version 3.1.5 of the plugin, which fully redacts secrets from the dry‑run response.

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @backstage/plugin-scaffolder-backend to version 3.1.5 or newer
  • Review and remove or securely manage any scaffolder.defaultEnvironment.secrets if possible
  • If upgrade is not yet feasible, restrict dry‑run permissions to trusted users only
  • Verify that any logs or responses no longer contain unredacted secrets after remediation

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8wq8-6859-qx77 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
History

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage plugin-scaffolder-backend
Vendors & Products Backstage
Backstage plugin-scaffolder-backend

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-497
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.
Title @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Backstage Plugin-scaffolder-backend
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:46:35.503Z

Reserved: 2026-03-11T14:47:05.684Z

Link: CVE-2026-32237

cve-icon Vulnrichment

Updated: 2026-03-12T20:38:12.324Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:19.040

Modified: 2026-03-19T20:49:17.060

Link: CVE-2026-32237

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T18:38:57Z

Links: CVE-2026-32237 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:00Z

Weaknesses