CVE-2026-24048

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.12.2 Backstage versions prior to 0.13.2 Backstage versions prior to 0.14.1 Backstage versions prior to 0.15.0

Description The FetchUrlReader component in Backstage’s @backstage/backend-defaults automatically followed HTTP redirects. This allowed an attacker controlling a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs not on the allowlist, bypassing URL allowlist security controls. This is a Server-Side Request Forgery (SSRF) condition that could allow access to internal resources, but it does not allow attackers to include additional request headers. The vulnerable component is used by the catalog and other plugins to fetch content from URLs.

Recommendations Upgrade to Backstage version 0.12.2 or later. Upgrade to Backstage version 0.13.2 or later. Upgrade to Backstage version 0.14.1 or later. Upgrade to Backstage version 0.15.0 or later. Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects. Ensure allowed hosts do not have open redirect vulnerabilities. Use network-level controls to block access from Backstage to sensitive internal endpoints.