PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44374 @backstage CVE debrief

A missing authorization check in Backstage's unprocessed entities endpoints allows any authenticated user to read unprocessed entity records regardless of ownership. The vulnerability exists in the @backstage/plugin-catalog-backend-module-unprocessed package prior to version 0.6.11. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and low confidentiality impact with no integrity or availability impact. The weakness is categorized as CWE-863 (Incorrect Authorization). The issue was published on 2026-05-14 and last modified on 2026-06-01. No known exploitation in ransomware campaigns has been reported.

Vendor
@backstage
Product
plugin-catalog-backend-module-unprocessed
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-06-01
Advisory published
2026-05-14
Advisory updated
2026-06-01

Who should care

Organizations running Backstage developer portals with the unprocessed entities catalog module installed and any authenticated user base requiring data segregation between teams or entities.

Technical summary

The @backstage/plugin-catalog-backend-module-unprocessed package exposes read endpoints for unprocessed entities that do not enforce Backstage's permission authorization framework. Any authenticated user can retrieve unprocessed entity records without ownership validation. The vulnerability is an authorization bypass leading to information disclosure. Three related packages require coordinated upgrades to fully remediate.

Defensive priority

medium

Recommended defensive actions

  • Upgrade @backstage/plugin-catalog-backend-module-unprocessed to version 0.6.11 or later
  • Upgrade @backstage/plugin-catalog-unprocessed-entities-common to version 0.0.15 or later
  • Upgrade @backstage/plugin-catalog-unprocessed-entities to version 0.2.30 or later
  • Review access logs for unauthorized queries to unprocessed entity endpoints
  • Verify Backstage permission framework integration is enabled and configured for catalog modules

Evidence notes

The CVE description and NVD record confirm the affected packages and versions. The GitHub Security Advisory provides vendor mitigation guidance. CPE criteria specify three affected npm packages with exact version boundaries.

Official resources

public