PatchSiren cyber security CVE debrief
CVE-2026-29186 backstage CVE debrief
CVE-2026-29186 is a high-severity configuration bypass vulnerability in the Backstage Plugin-Techdocs-Node. The vulnerability allows attackers to craft an mkdocs.yml file that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3. The vulnerability has a CVSS score of 7.7 and is considered high severity. The vulnerability was published on March 7, 2026, and last modified on June 30, 2026.
- Vendor
- backstage
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-07
- Advisory updated
- 2026-06-30
Who should care
Users of the Backstage Plugin-Techdocs-Node, especially those using versions prior to 1.14.3, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to the latest version and reviewing their configuration files for any potential security risks. Additionally, developers who use Backstage as a developer portal should also be aware of this vulnerability and take steps to protect their applications.
Technical summary
The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. However, a gap in this allowlist allows attackers to craft an mkdocs.yml file that causes arbitrary Python code execution. This vulnerability can be exploited by attackers with low privileges and can result in high impact to confidentiality, integrity, and availability. The vulnerability is caused by a CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-74 (External Control of File Name or Path) weakness.
Defensive priority
High priority should be given to upgrading to version 1.14.3 or later. Additionally, users should review their configuration files for any potential security risks and ensure that they are not using any vulnerable versions of the Backstage Plugin-Techdocs-Node.
Recommended defensive actions
- Upgrade to version 1.14.3 or later of the Backstage Plugin-Techdocs-Node.
- Review configuration files for any potential security risks.
- Ensure that no vulnerable versions of the Backstage Plugin-Techdocs-Node are being used.
- Monitor for any suspicious activity related to the Backstage Plugin-Techdocs-Node.
- Consider implementing additional security controls to prevent exploitation of this vulnerability.
Evidence notes
The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability has been patched in version 1.14.3, and users are advised to upgrade to this version or later. The vulnerability has a CVSS score of 7.7 and is considered high severity.
Official resources
-
CVE-2026-29186 CVE record
CVE.org
-
CVE-2026-29186 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.