MEDIUM
@backstage
CVE published 2026-05-14
CVE-2026-44374
A missing authorization check in Backstage's unprocessed entities endpoints allows any authenticated user to read unprocessed entity records regardless of ownership. The vulnerability exists in the @backstage/plugin-catalog-backend-module-unprocessed package prior to version 0.6.11. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, un [truncated]