CVE-2026-32237
Information Disclosure via Scaffolder Dry-Run in Backstage Plugin
Publication date: 2026-03-12
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | backstage/plugin-scaffolder-backend | From 3.1.0 (inc) to 3.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32237 is a moderate severity vulnerability in the Backstage open framework, specifically in the @backstage/plugin-scaffolder-backend package versions 3.1.0 and above before 3.1.5.
The issue allows authenticated users who have permission to execute scaffolder dry-runs to access server-configured environment secrets through the dry-run API response. While secrets are properly redacted in log outputs, they are not fully redacted in all parts of the response payload.
This vulnerability affects deployments that have configured scaffolder.defaultEnvironment.secrets and was patched in version 3.1.5.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of sensitive environment secrets to authenticated users who can perform scaffolder dry-runs.'}, {'type': 'paragraph', 'content': "Since these secrets may include credentials or other sensitive configuration data, their exposure can compromise the confidentiality of your system's environment."}, {'type': 'paragraph', 'content': 'The CVSS score indicates a high confidentiality impact, meaning that while integrity and availability are not affected, the leakage of secrets could lead to further security risks if those secrets are misused.'}, {'type': 'paragraph', 'content': 'Mitigation involves upgrading to version 3.1.5, removing or emptying the secrets configuration, or restricting access to the dry-run functionality.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Backstage deployment uses the @backstage/plugin-scaffolder-backend package version 3.1.0 up to but not including 3.1.5, and if the scaffolder.defaultEnvironment.secrets configuration is set.
To detect exploitation attempts, monitor API calls to the scaffolder dry-run endpoint by authenticated users with permission to execute dry-runs, as these calls may return environment secrets in the response payload.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the @backstage/plugin-scaffolder-backend package to version 3.1.5 or later, where the vulnerability is patched.
Alternatively, you can remove or empty the scaffolder.defaultEnvironment.secrets configuration in your app-config.yaml to prevent secrets from being exposed.
Additionally, restrict access to the scaffolder dry-run functionality by adjusting permissions to limit which authenticated users can execute dry-runs.