Plattform
nodejs
Komponente
@backstage/backend-defaults
Behoben in
0.12.3
0.13.1
0.14.1
2.2.3
3.0.1
3.1.1
0.11.3
0.12.1
0.12.2
CVE-2026-24046 describes a Path Traversal vulnerability discovered in @backstage/backend-defaults, a component used within Backstage, a developer portal platform. This vulnerability allows attackers with the ability to create and execute Scaffolder templates to exploit symlinks, potentially leading to unauthorized file access, deletion, or modification. The vulnerability affects versions prior to 0.12.2, and a patch has been released.
The impact of this vulnerability is significant due to the potential for unauthorized access and modification of sensitive files. An attacker could leverage this flaw to read configuration files, secrets, or even system files like /etc/passwd. Furthermore, the fs:delete action allows for the deletion of arbitrary files outside the intended workspace, potentially disrupting critical infrastructure. The archive extraction functionality introduces another attack vector, enabling attackers to write malicious files outside the workspace by crafting archives containing symlinks. This could lead to code execution or further compromise of the system.
This vulnerability was publicly disclosed on January 21, 2026. There is currently no indication of active exploitation in the wild, but the availability of a proof-of-concept could change this. The vulnerability's impact is amplified by the widespread adoption of Backstage and its reliance on Scaffolder templates. It is not currently listed on CISA KEV.
Organizations using @backstage/backend-defaults in their development workflows, particularly those with Scaffolder templates that allow user-defined file paths, are at risk. Shared hosting environments where multiple users can create and execute Scaffolder templates are especially vulnerable.
• nodejs / server:
find /path/to/backstage/node_modules/@backstage/backend-defaults -type f -name '*.js' -exec grep -i 'debug:log' {} \;• nodejs / supply-chain:
Review Scaffolder template files for suspicious symlink usage (e.g., ../, /etc/passwd).
• generic web:
Inspect access logs for unusual file access patterns, particularly attempts to access files outside the expected workspace.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24046 is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible, consider implementing stricter workspace sandboxing and input validation within your Scaffolder templates to prevent the creation of malicious symlinks. Review and restrict the permissions granted to Scaffolder templates to minimize the potential impact of exploitation. Monitor system logs for suspicious file access or deletion patterns related to Scaffolder actions. After upgrading, confirm the fix by attempting to create a Scaffolder template that utilizes symlinks and verifying that access is restricted.
Actualice los paquetes `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend` y `@backstage/plugin-scaffolder-node` a las versiones 0.12.2, 0.13.2, 0.14.1, y 0.15.0; 2.2.2, 3.0.2, y 3.1.1; y 0.11.2 y 0.12.3 respectivamente, o a versiones posteriores. Limite el acceso a la creación y actualización de plantillas. Restrinja quién puede crear y ejecutar plantillas de Scaffolder utilizando el marco de permisos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24046 is a Path Traversal vulnerability in @backstage/backend-defaults allowing attackers to read, delete, or write arbitrary files via symlink manipulation before version 0.12.2.
You are affected if you are using @backstage/backend-defaults versions prior to 0.12.2 and allow users to create and execute Scaffolder templates.
Upgrade to version 0.12.2 or later. If immediate upgrade is not possible, restrict user permissions and validate file paths.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants attention.
Refer to the official Backstage security advisories for details: [https://backstage.io/security](https://backstage.io/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.