PatchSiren cyber security CVE debrief
CVE-2026-24046 backstage CVE debrief
CVE-2026-24046 is a high-severity vulnerability affecting Backstage, an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files, delete arbitrary files, and write files outside the workspace via archive extraction containing malicious symlinks. This vulnerability affects any Backstage deployment where users can create or execute Scaffolder templates. The vulnerability is fixed in specific versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`. Users should upgrade to these versions or later.
- Vendor
- backstage
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-21
- Advisory updated
- 2026-06-30
Who should care
Organizations using Backstage should prioritize patching this vulnerability, especially if users can create or execute Scaffolder templates. Developers and administrators responsible for maintaining Backstage deployments should be aware of the potential risks and take necessary actions to mitigate the vulnerability.
Technical summary
The vulnerability allows an attacker with access to create and execute Scaffolder templates to exploit symlinks, potentially leading to unauthorized file access, deletion, and writing outside the workspace. The affected components include Scaffolder actions and archive extraction utilities. The fixes involve upgrading to specific versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`.
Defensive priority
High priority should be given to patching this vulnerability, as it can be exploited by an attacker with access to create and execute Scaffolder templates. Limiting access to creating and updating templates and restricting who can create and execute Scaffolder templates can help mitigate the risk.
Recommended defensive actions
- Upgrade to the fixed versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`.
- Limit access to creating and updating templates.
- Restrict who can create and execute Scaffolder templates using the permissions framework.
- Audit existing templates for symlink usage.
- Consider running Backstage in a containerized environment with limited filesystem access.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixes. Additional references from GitHub and Red Hat offer further context and advisories related to the vulnerability.
Official resources
-
CVE-2026-24046 CVE record
CVE.org
-
CVE-2026-24046 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.