CVE-2026-24046

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 @backstage/plugin-scaffolder-backend versions prior to 2.2.2, 3.0.2, and 3.1.1 @backstage/plugin-scaffolder-node versions prior to 0.11.2 and 0.12.3

Description The software is susceptible to symlink-based path traversal attacks. An attacker who can create and execute Scaffolder templates can exploit symlinks to read arbitrary files via the debug:log action, delete arbitrary files via the fs:delete action, and write files outside the workspace through archive extraction (tar/zip) containing malicious symlinks. This impacts any deployment where users can create or execute Scaffolder templates. The debug:log action can be exploited by creating a symlink pointing to sensitive files such as /etc/passwd, configuration files, and secrets. The fs:delete action can be exploited by creating symlinks pointing outside the workspace. Archive extraction utilities are vulnerable to malicious symlinks within tar or zip files.

Recommendations Upgrade @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1, or 0.15.0. Upgrade @backstage/plugin-scaffolder-backend to version 2.2.2, 3.0.2, or 3.1.1. Upgrade @backstage/plugin-scaffolder-node to version 0.11.2 or 0.12.3. Limit access to creating and updating templates. Restrict who can create and execute Scaffolder templates using the permissions framework. Audit existing templates for symlink usage. Run Backstage in a containerized environment with limited filesystem access.