CVE-2026-32237

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 3.1.5

Description Backstage is an open framework for building developer portals. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. The API endpoint involved is the dry-run API. The vulnerable configuration is scaffolder.defaultEnvironment.secrets.

Recommendations Versions prior to 3.1.5 should be updated to version 3.1.5 or later. Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework.