PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24046 backstage CVE debrief

CVE-2026-24046 is a high-severity vulnerability affecting Backstage, an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files, delete arbitrary files, and write files outside the workspace via archive extraction containing malicious symlinks. This vulnerability affects any Backstage deployment where users can create or execute Scaffolder templates. The vulnerability is fixed in specific versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`. Users should upgrade to these versions or later.

Vendor
backstage
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-21
Original CVE updated
2026-06-30
Advisory published
2026-01-21
Advisory updated
2026-06-30

Who should care

Organizations using Backstage should prioritize patching this vulnerability, especially if users can create or execute Scaffolder templates. Developers and administrators responsible for maintaining Backstage deployments should be aware of the potential risks and take necessary actions to mitigate the vulnerability.

Technical summary

The vulnerability allows an attacker with access to create and execute Scaffolder templates to exploit symlinks, potentially leading to unauthorized file access, deletion, and writing outside the workspace. The affected components include Scaffolder actions and archive extraction utilities. The fixes involve upgrading to specific versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited by an attacker with access to create and execute Scaffolder templates. Limiting access to creating and updating templates and restricting who can create and execute Scaffolder templates can help mitigate the risk.

Recommended defensive actions

  • Upgrade to the fixed versions of `@backstage/backend-defaults`, `@backstage/plugin-scaffolder-backend`, and `@backstage/plugin-scaffolder-node`.
  • Limit access to creating and updating templates.
  • Restrict who can create and execute Scaffolder templates using the permissions framework.
  • Audit existing templates for symlink usage.
  • Consider running Backstage in a containerized environment with limited filesystem access.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the fixes. Additional references from GitHub and Red Hat offer further context and advisories related to the vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.