PT-2026-38311 · Npm · @Backstage/Plugin-Catalog-Backend-Module-Unprocessed+2
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-44374
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Impact
The unprocessed entities read endpoints in
@backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is
an information disclosure vulnerability affecting Backstage installations using this module.Patches
This is patched in
@backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.Workarounds
If users cannot upgrade, they can remove the
without upgrading.
@backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpointswithout upgrading.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Backstage/Plugin-Catalog-Backend-Module-Unprocessed
@Backstage/Plugin-Catalog-Unprocessed-Entities
@Backstage/Plugin-Catalog-Unprocessed-Entities-Common