CVE-2026-29186

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.14.3

Description Backstage, an open framework for building developer portals, contains a configuration bypass that can lead to arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter potentially dangerous MkDocs configuration keys during documentation builds. A flaw in this allowlist allows attackers to create a malicious mkdocs.yml file that executes arbitrary Python code, bypassing TechDocs' security measures. The vulnerable component is the TechDocs documentation build process. The vulnerable configuration file is mkdocs.yml.

Recommendations Versions prior to 1.14.3 should be updated to version 1.14.3 or later. As a temporary workaround, configure TechDocs with runIn: docker instead of runIn: local to provide container isolation. Restrict access to mkdocs.yml files to trusted contributors only. Implement PR review requirements for changes to mkdocs.yml files to detect malicious configurations. Downgrade MkDocs to a version prior to 1.4.0, such as 1.3.1, to disable hooks.