Platform
nodejs
Component
@backstage/backend-defaults
Fixed in
0.12.3
0.13.1
0.14.1
2.2.3
3.0.1
3.1.1
0.11.3
0.12.1
0.12.2
CVE-2026-24046 describes a Path Traversal vulnerability discovered in @backstage/backend-defaults. This flaw allows attackers with the ability to create and execute Scaffolder templates to exploit symlinks, potentially leading to unauthorized file access, deletion, or modification. The vulnerability impacts versions before 0.12.2, and a patch has been released.
The vulnerability stems from insufficient validation of file paths during Scaffolder actions and archive extraction. An attacker can craft malicious Scaffolder templates containing symbolic links that point outside the intended workspace. This allows them to read sensitive files like /etc/passwd or configuration files through the debug:log action. Furthermore, the fs:delete action can be abused to delete arbitrary files by creating symlinks pointing outside the workspace. Archive extraction (tar/zip) is also vulnerable, allowing attackers to write files outside the workspace by including malicious symlinks within the archive.
This vulnerability was publicly disclosed on January 21, 2026. There is currently no indication of active exploitation in the wild, but the ease of exploitation and potential impact warrant attention. No Proof of Concept (PoC) has been publicly released at the time of this writing. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 0.12.2 or later, which includes the necessary fixes. If upgrading immediately is not possible, consider restricting the permissions of users who can create and execute Scaffolder templates. Implement strict input validation for all file paths used in Scaffolder actions. Review existing Scaffolder templates for any suspicious symlink usage. Consider using a Web Application Firewall (WAF) with path traversal protection rules, although this is not a substitute for patching.
Actualice los paquetes `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend` y `@backstage/plugin-scaffolder-node` a las versiones 0.12.2, 0.13.2, 0.14.1, y 0.15.0; 2.2.2, 3.0.2, y 3.1.1; y 0.11.2 y 0.12.3 respectivamente, o a versiones posteriores. Limite el acceso a la creación y actualización de plantillas. Restrinja quién puede crear y ejecutar plantillas de Scaffolder utilizando el marco de permisos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24046 is a Path Traversal vulnerability in @backstage/backend-defaults allowing attackers to read, delete, or write arbitrary files via symlink manipulation before version 0.12.2.
You are affected if you are using @backstage/backend-defaults versions prior to 0.12.2 and allow users to create and execute Scaffolder templates.
Upgrade to version 0.12.2 or later. If immediate upgrade is not possible, restrict user permissions and validate file paths.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants attention.
Refer to the official Backstage security advisories for details: [https://backstage.io/security](https://backstage.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.