CVE-2026-29184
Log Redaction Bypass in Backstage Scaffolder Enables Secret Exfiltration
Publication date: 2026-03-07
Last updated on: 2026-04-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | backstage/plugin-scaffolder-backend | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29184 is a vulnerability in the Backstage open framework, specifically in the @backstage/plugin-scaffolder-backend package versions up to 3.1.3. It allows a malicious scaffolder template to bypass the log redaction mechanism, which means secrets that are passed through task event logs can be exposed or exfiltrated.
To exploit this vulnerability, an attacker must be able to register a malicious template in the catalog, and a victim must execute that template. The vulnerability has a low severity rating with a CVSS v3 base score of 2.0, indicating it requires high privileges, user interaction, and has a low impact on confidentiality.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of secrets that are passed through task event logs in Backstage. If exploited, an attacker could exfiltrate sensitive information from these logs.
However, the impact is considered low because exploitation requires high privileges, user interaction, and the ability to register malicious templates. There is no impact on data integrity or system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running a vulnerable version of the @backstage/plugin-scaffolder-backend package (version 3.1.3 or earlier) and if any malicious scaffolder templates have been registered and executed.
Since exploitation requires the attacker to register a template and a victim to execute it, monitoring for unusual or unauthorized template registrations in the catalog is important.
Additionally, reviewing task event logs for suspicious activity or unexpected secret exfiltration attempts can help detect exploitation.
Specific commands are not provided in the resources, but general approaches include:
- Check the installed version of @backstage/plugin-scaffolder-backend, for example by inspecting package.json or using npm/yarn commands.
- Audit the catalog for recently registered scaffolder templates, especially those from untrusted users.
- Review task event logs for unusual entries or evidence of secret leakage.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the @backstage/plugin-scaffolder-backend package to version 3.1.4 or later, where the vulnerability is patched.
Additional immediate steps include:
- Implement a custom permission policy to restrict the scaffolder.task.read permission so that users can only read their own task logs.
- Limit the registration of scaffolder templates in the catalog to trusted users only.