PT-2026-38311 · Npm · @Backstage/Plugin-Catalog-Unprocessed-Entities+2

Benjdlambert

Published

2026-05-06

Updated

2026-05-14

CVE-2026-44374

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions @backstage/plugin-catalog-backend-module-unprocessed versions prior to 0.6.11 @backstage/plugin-catalog-unprocessed-entities-common versions prior to 0.0.15 @backstage/plugin-catalog-unprocessed-entities versions prior to 0.2.30

Description The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. This allows any authenticated user to access unprocessed entity records regardless of ownership, leading to information disclosure.

Recommendations Update @backstage/plugin-catalog-backend-module-unprocessed to version 0.6.11. Update @backstage/plugin-catalog-unprocessed-entities-common to version 0.0.15. Update @backstage/plugin-catalog-unprocessed-entities to version 0.2.30. As a temporary workaround, remove the @backstage/plugin-catalog-backend-module-unprocessed module from the backend.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-44374

GHSA-P7G9-RP3G-MGFG

Affected Products

@Backstage/Plugin-Catalog-Backend-Module-Unprocessed

@Backstage/Plugin-Catalog-Unprocessed-Entities

@Backstage/Plugin-Catalog-Unprocessed-Entities-Common

PT-2026-38311 · Npm · @Backstage/Plugin-Catalog-Unprocessed-Entities+2

CVE-2026-44374

Weakness Enumeration

Related Identifiers

Affected Products

References · 4