CVE-2026-32237
Received Received - Intake
Information Disclosure via Scaffolder Dry-Run in Backstage Plugin

Publication date: 2026-03-12

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32237
EUVD
EUVD-2026-11675
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation backstage/plugin-scaffolder-backend From 3.1.0 (inc) to 3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32237 is a moderate severity vulnerability in the Backstage open framework, specifically in the @backstage/plugin-scaffolder-backend package versions 3.1.0 and above before 3.1.5.

The issue allows authenticated users who have permission to execute scaffolder dry-runs to access server-configured environment secrets through the dry-run API response. While secrets are properly redacted in log outputs, they are not fully redacted in all parts of the response payload.

This vulnerability affects deployments that have configured scaffolder.defaultEnvironment.secrets and was patched in version 3.1.5.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of sensitive environment secrets to authenticated users who can perform scaffolder dry-runs.'}, {'type': 'paragraph', 'content': "Since these secrets may include credentials or other sensitive configuration data, their exposure can compromise the confidentiality of your system's environment."}, {'type': 'paragraph', 'content': 'The CVSS score indicates a high confidentiality impact, meaning that while integrity and availability are not affected, the leakage of secrets could lead to further security risks if those secrets are misused.'}, {'type': 'paragraph', 'content': 'Mitigation involves upgrading to version 3.1.5, removing or emptying the secrets configuration, or restricting access to the dry-run functionality.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your Backstage deployment uses the @backstage/plugin-scaffolder-backend package version 3.1.0 up to but not including 3.1.5, and if the scaffolder.defaultEnvironment.secrets configuration is set.

To detect exploitation attempts, monitor API calls to the scaffolder dry-run endpoint by authenticated users with permission to execute dry-runs, as these calls may return environment secrets in the response payload.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include upgrading the @backstage/plugin-scaffolder-backend package to version 3.1.5 or later, where the vulnerability is patched.

Alternatively, you can remove or empty the scaffolder.defaultEnvironment.secrets configuration in your app-config.yaml to prevent secrets from being exposed.

Additionally, restrict access to the scaffolder dry-run functionality by adjusting permissions to limit which authenticated users can execute dry-runs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart