CVE-2026-24047

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.1.17

Description The resolveSafeChildPath utility function in @backstage/backend-plugin-api did not properly validate symlink chains and dangling symlinks, leading to a path traversal issue. An attacker could bypass path validation by creating symlink chains or dangling symlinks that resolve outside the allowed directory. This function is used by Scaffolder actions and other backend components to control file operations within designated directories.

Recommendations Upgrade to version 0.1.17 or later. Run Backstage in a containerized environment with limited filesystem access. Restrict template creation to trusted users.