CVE-2026-29185
Received Received - Intake
Path Traversal in Backstage SCM Integration Enables Unauthorized API Access

Publication date: 2026-03-07

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29185
EUVD
EUVD-2026-10145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation backstage/integration to 1.20.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to redirect API requests to unintended SCM provider endpoints using your server-side integration credentials. This can lead to exposure of sensitive information due to unauthorized access to SCM provider APIs.

The impact is limited to confidentiality, with no effect on data integrity or availability. The attack requires network access and high privileges but no user interaction.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

The only effective mitigation step is to upgrade the Backstage integration package to version 1.20.1 or later, where the vulnerability has been patched.

There are no available workarounds for this vulnerability.

Executive Summary

CVE-2026-29185 is a vulnerability in the SCM URL parsing mechanism used by Backstage integrations, specifically in versions up to 1.20.0. It allows attackers to include encoded path traversal sequences in file paths within SCM URLs. When these URLs are processed by integration functions that build API URLs, the traversal sequences can redirect requests to unintended SCM provider API endpoints. This redirection exploits the configured server-side integration credentials, potentially exposing sensitive information.

The vulnerability affects SCM integrations such as GitHub, Bitbucket Server, and Bitbucket Cloud, especially when features like the scaffolder accept user-provided SCM URLs. The issue was patched in version 1.20.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart