CVE-2026-24048
Unknown Unknown - Not Provided
SSRF in Backstage FetchUrlReader Allows Internal URL Bypass

Publication date: 2026-01-21

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24048
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linuxfoundation backstage/backend_defaults to 0.12.2 (exc)
linuxfoundation backstage/backend_defaults From 0.13.0 (inc) to 0.13.2 (inc)
linuxfoundation backstage/backend_defaults From 0.14.0 (inc) to 0.14.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in the Backstage backend framework's FetchUrlReader component. Before certain fixed versions, the component automatically followed HTTP redirects, which allowed an attacker controlling a host listed in the backend.reading.allow configuration to redirect requests to internal or sensitive URLs not on the allowlist. This bypasses the URL allowlist security control, potentially exposing internal resources. However, attackers cannot add extra request headers.

Impact Analysis

The vulnerability can allow an attacker to access internal or sensitive resources by redirecting requests through a trusted host, bypassing security controls. This could lead to unauthorized access to internal systems or data that should be protected, potentially exposing sensitive information or internal services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1, or 0.15.0 or later. Additionally, restrict the backend.reading.allow configuration to only trusted hosts that you control and that do not issue redirects. Ensure that allowed hosts do not have open redirect vulnerabilities. You can also implement network-level controls to block access from Backstage to sensitive internal endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart