CVE-2026-24046
Unknown Unknown - Not Provided
Symlink Path Traversal in Backstage Scaffolder Enables File Access

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24046
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
backstage backend_defaults 0.12.2
backstage backend_defaults 0.13.2
backstage backend_defaults 0.14.1
backstage backend_defaults 0.15.0
backstage plugin_scaffolder_backend 2.2.2
backstage plugin_scaffolder_backend 3.0.2
backstage plugin_scaffolder_backend 3.1.1
backstage plugin_scaffolder_node 0.11.2
backstage plugin_scaffolder_node 0.12.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Backstage, an open framework for building developer portals. It involves multiple Scaffolder actions and archive extraction utilities that are vulnerable to symlink-based path traversal attacks. An attacker who can create and execute Scaffolder templates can exploit symbolic links to read arbitrary files (such as sensitive system files), delete arbitrary files outside the intended workspace, and write files outside the workspace by using malicious archives containing symlinks. This allows unauthorized access and modification of files beyond the intended scope.

Impact Analysis

The vulnerability can lead to unauthorized reading of sensitive files (like /etc/passwd, configuration files, and secrets), deletion of arbitrary files outside the workspace, and writing files outside the workspace. This can compromise system integrity, confidentiality, and availability by exposing sensitive information and allowing attackers to manipulate or destroy files on the system where Backstage is deployed.

Mitigation Strategies

To mitigate this vulnerability, upgrade to the fixed versions of the affected Backstage packages: @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, or 0.15.0; @backstage/plugin-scaffolder-backend versions 2.2.2, 3.0.2, or 3.1.1; and @backstage/plugin-scaffolder-node versions 0.11.2 or 0.12.3 or later. Additionally, limit access to creating and updating Scaffolder templates by using the permissions framework, audit existing templates for symlink usage, and consider running Backstage in a containerized environment with restricted filesystem access.

Detection Guidance

Detection involves auditing existing Scaffolder templates for symlink usage and monitoring for suspicious file operations related to symlinks. Since the vulnerability involves symlink-based path traversal via Scaffolder actions and archive extraction, you can check for symlinks in template directories and extracted archives. For example, use commands like `find /path/to/scaffolder/templates -type l` to find symlinks in templates. Additionally, monitor logs for unusual access to sensitive files or unexpected file deletions. There are no specific commands provided for network detection in the context, but restricting and auditing template creation and execution is recommended.

Compliance Impact

This vulnerability allows attackers to read, delete, or write arbitrary files, including sensitive files and secrets, which could lead to unauthorized access or data breaches. Such incidents can compromise the confidentiality and integrity of personal or sensitive data, potentially causing non-compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive information. Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart