PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29186 backstage CVE debrief

CVE-2026-29186 is a high-severity configuration bypass vulnerability in the Backstage Plugin-Techdocs-Node. The vulnerability allows attackers to craft an mkdocs.yml file that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3. The vulnerability has a CVSS score of 7.7 and is considered high severity. The vulnerability was published on March 7, 2026, and last modified on June 30, 2026.

Vendor
backstage
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-07
Original CVE updated
2026-06-30
Advisory published
2026-03-07
Advisory updated
2026-06-30

Who should care

Users of the Backstage Plugin-Techdocs-Node, especially those using versions prior to 1.14.3, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to the latest version and reviewing their configuration files for any potential security risks. Additionally, developers who use Backstage as a developer portal should also be aware of this vulnerability and take steps to protect their applications.

Technical summary

The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. However, a gap in this allowlist allows attackers to craft an mkdocs.yml file that causes arbitrary Python code execution. This vulnerability can be exploited by attackers with low privileges and can result in high impact to confidentiality, integrity, and availability. The vulnerability is caused by a CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-74 (External Control of File Name or Path) weakness.

Defensive priority

High priority should be given to upgrading to version 1.14.3 or later. Additionally, users should review their configuration files for any potential security risks and ensure that they are not using any vulnerable versions of the Backstage Plugin-Techdocs-Node.

Recommended defensive actions

  • Upgrade to version 1.14.3 or later of the Backstage Plugin-Techdocs-Node.
  • Review configuration files for any potential security risks.
  • Ensure that no vulnerable versions of the Backstage Plugin-Techdocs-Node are being used.
  • Monitor for any suspicious activity related to the Backstage Plugin-Techdocs-Node.
  • Consider implementing additional security controls to prevent exploitation of this vulnerability.

Evidence notes

The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability has been patched in version 1.14.3, and users are advised to upgrade to this version or later. The vulnerability has a CVSS score of 7.7 and is considered high severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.