CVE-2026-29184
Received Received - Intake
Log Redaction Bypass in Backstage Scaffolder Enables Secret Exfiltration

Publication date: 2026-03-07

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29184
EUVD
EUVD-2026-10144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation backstage/plugin-scaffolder-backend to 3.1.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29184 is a vulnerability in the Backstage open framework, specifically in the @backstage/plugin-scaffolder-backend package versions up to 3.1.3. It allows a malicious scaffolder template to bypass the log redaction mechanism, which means secrets that are passed through task event logs can be exposed or exfiltrated.

To exploit this vulnerability, an attacker must be able to register a malicious template in the catalog, and a victim must execute that template. The vulnerability has a low severity rating with a CVSS v3 base score of 2.0, indicating it requires high privileges, user interaction, and has a low impact on confidentiality.

Impact Analysis

This vulnerability can lead to the exposure of secrets that are passed through task event logs in Backstage. If exploited, an attacker could exfiltrate sensitive information from these logs.

However, the impact is considered low because exploitation requires high privileges, user interaction, and the ability to register malicious templates. There is no impact on data integrity or system availability.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying if your system is running a vulnerable version of the @backstage/plugin-scaffolder-backend package (version 3.1.3 or earlier) and if any malicious scaffolder templates have been registered and executed.

Since exploitation requires the attacker to register a template and a victim to execute it, monitoring for unusual or unauthorized template registrations in the catalog is important.

Additionally, reviewing task event logs for suspicious activity or unexpected secret exfiltration attempts can help detect exploitation.

Specific commands are not provided in the resources, but general approaches include:

  • Check the installed version of @backstage/plugin-scaffolder-backend, for example by inspecting package.json or using npm/yarn commands.
  • Audit the catalog for recently registered scaffolder templates, especially those from untrusted users.
  • Review task event logs for unusual entries or evidence of secret leakage.
Mitigation Strategies

The primary mitigation is to upgrade the @backstage/plugin-scaffolder-backend package to version 3.1.4 or later, where the vulnerability is patched.

Additional immediate steps include:

  • Implement a custom permission policy to restrict the scaffolder.task.read permission so that users can only read their own task logs.
  • Limit the registration of scaffolder templates in the catalog to trusted users only.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart