The vulnerability resides in the unprocessed entities read endpoints of Backstage’s catalog backend module. The code handling these endpoints fails to enforce permission checks, which allows any authenticated user to read unprocessed entity records irrespective of ownership. As a result, sensitive information about entities that belong to other owners can be disclosed. This weakness is classified as CWE-862 and CWE-863, reflecting missing authorization checks on data objects.

Backstage installations that use @backstage/plugin-catalog-backend-module-unprocessed, @backstage/plugin-catalog-unprocessed-entities, or @backstage/plugin-catalog-unprocessed-entities-common without applying the recent security patch. The specific patched versions are 0.6.11 for the backend module, 0.2.30 for the unprocessed entities plugin, and 0.0.15 for the common unprocessed entities utilities. Any installation using older versions of these components is affected.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score is 0.00031 (<1%), and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be an authenticated attacker who can authenticate to the Backstage instance and then exploit the missing permission checks by issuing read requests to the unprocessed endpoints. The impact is confined to information disclosure and does not allow escalation or disruption of services.