CVE-2026-29185

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.20.1

Description Backstage is a framework for building developer portals. A flaw in how Backstage handles SCM URLs within integrations permitted path traversal sequences, even when encoded. This allowed requests to be redirected to unintended SCM provider API endpoints using integration credentials when processing URLs in integration functions. The issue impacts instances utilizing SCM integrations like GitHub, Bitbucket Server, and Bitbucket Cloud with features accepting user-provided SCM URLs. The vulnerable component is the SCM URL parsing used by Backstage integrations. The affected API endpoints are those of the SCM provider, potentially accessed through the integration functions. The vulnerable variable is the SCM URL itself.

Recommendations Upgrade to Backstage version 1.20.1 or later.