CVE-2026-24047
Unknown Unknown - Not Provided
Path Traversal via Symlink Bypass in Backstage Backend Plugin

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 β†’ link2 β†’ /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24047
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
backstage backend_plugin_api to 0.1.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the resolveSafeChildPath utility function of the @backstage/backend-plugin-api package used by Backstage. The function is intended to prevent path traversal attacks by validating file paths. However, prior to version 0.1.17, it failed to properly validate symlink chains and dangling symlinks. An attacker could exploit this by creating symlink chains or dangling symlinks that eventually resolve to paths outside the allowed directory, bypassing the path validation. This could allow unauthorized file operations outside designated directories.

Impact Analysis

This vulnerability can allow an attacker to bypass path validation and perform unauthorized file operations outside of designated directories. This could lead to exposure or modification of sensitive files, potentially compromising system security or integrity. The impact is significant enough to warrant upgrading to version 0.1.17 or later and applying workarounds such as running Backstage in a containerized environment with limited filesystem access or restricting template creation to trusted users.

Mitigation Strategies

Upgrade @backstage/backend-plugin-api to version 0.1.17 or later. As workarounds, run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart