CVE-2026-24046 Overview
CVE-2026-24046 is a symlink-based path traversal vulnerability affecting Backstage, an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to attacks that allow an attacker with access to create and execute Scaffolder templates to read, delete, or write arbitrary files outside the intended workspace directory.
Critical Impact
Attackers can exploit symlinks to read sensitive files (e.g., /etc/passwd, configuration files, secrets), delete arbitrary files, or write files outside the workspace via malicious archive extraction.
Affected Products
- @backstage/backend-defaults versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0
- @backstage/plugin-scaffolder-backend versions prior to 2.2.2, 3.0.2, and 3.1.1
- @backstage/plugin-scaffolder-node versions prior to 0.11.2 and 0.12.3
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-24046 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-24046
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects any Backstage deployment where users can create or execute Scaffolder templates. The attack requires network access and low privileges (authenticated user with template creation rights), but due to the high complexity of successful exploitation and the changed scope, the impact primarily affects confidentiality with potential for limited availability disruption.
The vulnerability manifests through three distinct attack vectors within the Scaffolder component: reading arbitrary files via the debug:log action, deleting arbitrary files via the fs:delete action, and writing files outside the workspace through malicious tar/zip archive extraction containing symlinks.
Root Cause
The root cause is improper path validation when handling symbolic links within Scaffolder actions and archive extraction utilities. The application failed to verify that resolved paths after following symlinks remained within the intended workspace boundaries, allowing directory traversal attacks.
Attack Vector
An authenticated attacker with permissions to create and execute Scaffolder templates can craft malicious templates containing symbolic links pointing to sensitive locations outside the workspace directory. When these templates are processed:
- Read Attack: The debug:log action follows symlinks to read and expose contents of files like /etc/passwd or application secrets
- Delete Attack: The fs:delete action follows symlinks to delete files outside the workspace
- Write Attack: Archive extraction (tar/zip) containing symlinks can write files to arbitrary locations
The security patch introduces path validation functions to prevent symlink-based escapes:
*/
import {
+ resolveSafeChildPath,
UrlReaderServiceReadTreeResponse,
UrlReaderServiceReadTreeResponseDirOptions,
UrlReaderServiceReadTreeResponseFile,
Source: GitHub Commit Details
The patch also adds isChildPath validation for archive extraction:
*/
import {
+ isChildPath,
UrlReaderServiceReadTreeResponse,
UrlReaderServiceReadTreeResponseDirOptions,
UrlReaderServiceReadTreeResponseFile,
Source: GitHub Commit Details
Detection Methods for CVE-2026-24046
Indicators of Compromise
- Scaffolder templates containing symbolic link creation commands or references
- Unexpected file access patterns in Backstage logs, particularly reads of /etc/passwd, configuration files, or secrets
- Archive files (tar/zip) being processed that contain symlinks pointing to parent directories
- Audit logs showing template executions followed by access to files outside workspace directories
Detection Strategies
- Monitor Scaffolder template execution logs for suspicious debug:log outputs containing sensitive file contents
- Implement file integrity monitoring on critical system files and application secrets
- Review Scaffolder templates for symlink operations or suspicious archive extraction patterns
- Enable audit logging for all file system operations within Backstage worker processes
Monitoring Recommendations
- Configure alerts for file access attempts to sensitive paths (e.g., /etc/, application configuration directories)
- Monitor for unusual patterns in Scaffolder template creation and execution
- Implement baseline monitoring for normal template behavior and alert on deviations
- Review access logs for the permissions framework to detect unauthorized template creation attempts
How to Mitigate CVE-2026-24046
Immediate Actions Required
- Upgrade @backstage/backend-defaults to versions 0.12.2, 0.13.2, 0.14.1, or 0.15.0 or later
- Upgrade @backstage/plugin-scaffolder-backend to versions 2.2.2, 3.0.2, or 3.1.1 or later
- Upgrade @backstage/plugin-scaffolder-node to versions 0.11.2 or 0.12.3 or later
- Audit all existing Scaffolder templates for symlink usage
Patch Information
The vulnerability is fixed in multiple package versions. Refer to the GitHub Security Advisory GHSA-rq6q-wr2q-7pgp for complete details. The patch commit c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d introduces resolveSafeChildPath and isChildPath functions to validate that resolved paths remain within workspace boundaries.
Workarounds
- Follow the Backstage Threat Model recommendations to limit access to creating and updating templates
- Restrict template creation and execution permissions using the Backstage permissions framework
- Audit existing templates for any symlink usage and remove or sanitize suspicious templates
- Run Backstage in a containerized environment with limited filesystem access to minimize potential damage
# Configuration example
# Restrict filesystem access in containerized deployment
# Example Docker security configuration
docker run --read-only \
--tmpfs /tmp \
--security-opt no-new-privileges:true \
-v /app/workspace:/app/workspace:rw \
backstage/backstage:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
