Platform
nodejs
Component
@backstage/integration
Fixed in
1.20.2
1.20.1
CVE-2026-29185 describes a path traversal vulnerability discovered in @backstage/integration, a component used for integrating with Source Code Management (SCM) systems within Backstage. This flaw allows attackers to potentially redirect API requests to unintended SCM provider endpoints using configured server-side integration credentials. The vulnerability impacts instances utilizing SCM integrations like GitHub and Bitbucket, particularly when user-provided SCM URLs are processed. A patch is available in version 1.20.1.
The core of this vulnerability lies in the way @backstage/integration parses SCM URLs. Attackers can craft malicious URLs containing path traversal sequences, encoded to bypass initial checks. When these URLs are processed by integration functions that build API URLs, the traversal segments can redirect requests to arbitrary SCM provider API endpoints. This redirection occurs using the server-side integration credentials configured within the Backstage instance, effectively allowing an attacker to impersonate the integration and potentially access sensitive data or perform actions on behalf of the system. The blast radius extends to any feature relying on user-provided SCM URLs, such as the scaffolder or other integration points.
CVE-2026-29185 was publicly disclosed on 2026-03-05. There is no indication of active exploitation or a KEV listing at the time of writing. No public proof-of-concept (POC) code has been released. The vulnerability's LOW CVSS score suggests a relatively low probability of exploitation, but the potential for credential compromise warrants prompt remediation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29185 is to upgrade to @backstage/integration version 1.20.1 or later. This version includes fixes to properly sanitize and validate SCM URLs, preventing path traversal attempts. As a temporary workaround, carefully validate and sanitize all user-provided SCM URLs before they are processed by integration functions. Consider implementing stricter URL validation rules and restricting the allowed characters and protocols. While not a direct fix, reviewing and restricting the permissions granted to server-side integration credentials can limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to submit a crafted URL containing path traversal sequences and verifying that the request is properly blocked.
Update the `@backstage/integration` package to version 1.20.1 or higher. This will fix the path traversal vulnerability in SCM URL parsing. Run the npm update @backstage/integration command to update to the patched version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29185 is a path traversal vulnerability in the @backstage/integration component, allowing attackers to redirect API requests using server-side credentials.
You are affected if you use @backstage/integration versions prior to 1.20.1 and utilize SCM integrations with user-provided URLs.
Upgrade to @backstage/integration version 1.20.1 or later to patch the vulnerability. Validate and sanitize user-provided URLs as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-29185.
Refer to the official Backstage security advisory for detailed information and updates: [https://backstage.io/security](https://backstage.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.