CVE-2026-3118

Modified Modified - Updated After Analysis

GraphQL Injection in Red Hat Backstage Causes DoS

Publication date: 2026-02-25

Last updated on: 2026-05-05

Assigner: Red Hat, Inc.

Description

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-25

Last Modified

2026-05-05

Generated

2026-06-16

AI Q&A

2026-02-25

EPSS Evaluated

2026-06-14

NVD

CVE-2026-3118

EUVD

EUVD-2026-8656

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	developer_hub	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3118 is a GraphQL Injection vulnerability found in the Orchestrator Plugin of the Red Hat Developer Hub (Backstage). It occurs because the system does not properly validate or neutralize special characters in user input that is embedded directly into backend GraphQL queries.'}, {'type': 'paragraph', 'content': 'An authenticated user can exploit this by sending specially crafted JSON payloads with malicious GraphQL fragments, such as altered "orderBy" or "filter" values. This manipulation breaks the query structure, causing unhandled exceptions that crash the entire Backstage application.'}, {'type': 'paragraph', 'content': 'When the application crashes, it automatically restarts, but this leads to a platform-wide Denial of Service (DoS), temporarily preventing legitimate users from accessing the platform.'}] [1]

Impact Analysis

This vulnerability can cause a platform-wide Denial of Service (DoS) by crashing the entire Backstage application and forcing it to restart.

As a result, legitimate users temporarily lose access to the Red Hat Developer Hub platform, which can disrupt development workflows and reduce service availability.

Since the exploit can be performed remotely by any authenticated user without additional privileges or user interaction, it poses a significant risk to service continuity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for abnormal crashes or restarts of the Red Hat Developer Hub (Backstage) application, specifically related to the Orchestrator Plugin. Since the issue arises from specially crafted GraphQL queries submitted by authenticated users, inspecting API request logs for unusual or malformed GraphQL payloads, especially those manipulating "orderBy" or "filter" fields, can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided to detect this vulnerability directly, but general approaches include:'}, {'type': 'list_item', 'content': 'Review application logs for repeated crashes or restarts of the Backstage application.'}, {'type': 'list_item', 'content': 'Analyze API request logs for suspicious GraphQL queries containing unusual or malformed JSON payloads targeting the Orchestrator Plugin.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to capture and inspect traffic to the Backstage API endpoints for anomalous GraphQL injection patterns.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the Red Hat Developer Hub (Backstage) Orchestrator Plugin to trusted authenticated users only, as exploitation requires authentication.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring and blocking suspicious GraphQL queries that contain malformed or specially crafted inputs targeting the "orderBy" or "filter" fields can reduce the risk of exploitation.'}, {'type': 'paragraph', 'content': 'Applying any available patches or updates from Red Hat addressing this vulnerability is strongly recommended once they are released.'}] [1]

Hi! I’m here to help you understand CVE-2026-3118. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-3118

GraphQL Injection in Red Hat Backstage Causes DoS

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart