CVE-2026-32237 Overview
Backstage, an open framework for building developer portals, contains an information disclosure vulnerability in the scaffolder backend plugin. Prior to version 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. While secrets are properly redacted in log output, they are not redacted in all parts of the response payload, allowing attackers to extract sensitive configuration data.
Critical Impact
Authenticated attackers can extract server-configured environment secrets via the scaffolder dry-run API, potentially compromising deployment credentials, API keys, and other sensitive configuration data.
Affected Products
- Backstage @backstage/plugin-scaffolder-backend versions prior to 3.1.5
- Deployments with configured scaffolder.defaultEnvironment.secrets
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32237 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32237
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in inconsistent secret redaction within the scaffolder backend plugin. When processing dry-run requests, the application correctly redacts secrets from log output but fails to apply the same redaction to the API response payload. This creates a path for authenticated users to extract environment secrets that should remain confidential.
The attack requires network access and high privileges (permission to execute scaffolder dry-runs), which limits the attack surface. However, the potential impact is significant as it can lead to complete exposure of configured secrets including deployment credentials, third-party API keys, and other sensitive environment variables.
Root Cause
The root cause is improper handling of sensitive data in the NunjucksWorkflowRunner.ts file within the scaffolder backend plugin. The secrets configuration was being passed to the workflow context regardless of whether the operation was a dry-run or actual execution. This design flaw meant that dry-run API responses could inadvertently expose secret values that were never intended to be returned to clients.
Attack Vector
The attack vector requires an authenticated user with scaffolder dry-run permissions to send a specially crafted dry-run request to the scaffolder API. The response payload would include environment secrets and task secrets in the workflow context, exposing sensitive configuration data that would normally be redacted in production logging.
// Security patch in plugins/scaffolder-backend/src/scaffolder/tasks/NunjucksWorkflowRunner.ts
// Source: https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce
...context,
environment: {
parameters: this.environment?.parameters ?? {},
- secrets: this.environment?.secrets ?? {},
+ secrets: task.isDryRun ? {} : this.environment?.secrets ?? {},
},
- secrets: task.secrets ?? {},
+ secrets: task.isDryRun ? {} : task.secrets ?? {},
};
const resolvedEach =
Detection Methods for CVE-2026-32237
Indicators of Compromise
- Unusual or excessive scaffolder dry-run API requests from authenticated users
- API responses containing unexpected secret values in the payload
- Audit logs showing repeated dry-run executions targeting specific templates
- Anomalous access patterns to templates configured with sensitive secrets
Detection Strategies
- Monitor scaffolder API endpoints for dry-run requests, particularly from users who don't typically use this functionality
- Implement response payload inspection to detect potential secret leakage in API responses
- Review access logs for patterns indicating reconnaissance or enumeration of scaffolder templates
- Enable detailed auditing of all scaffolder operations to track potential exploitation attempts
Monitoring Recommendations
- Configure alerts for elevated dry-run API request volumes from individual users
- Implement network-level monitoring for scaffolder API traffic patterns
- Review authentication logs for accounts with scaffolder permissions that may have been compromised
- Establish baseline metrics for normal scaffolder usage to identify anomalous behavior
How to Mitigate CVE-2026-32237
Immediate Actions Required
- Upgrade @backstage/plugin-scaffolder-backend to version 3.1.5 or later immediately
- Review audit logs for any suspicious scaffolder dry-run activity prior to patching
- Rotate any secrets configured in scaffolder.defaultEnvironment.secrets as a precaution
- Assess which users have scaffolder dry-run permissions and verify their need for access
Patch Information
The vulnerability is addressed in @backstage/plugin-scaffolder-backend version 3.1.5. The fix modifies the NunjucksWorkflowRunner.ts file to ensure that secrets are excluded from the workflow context during dry-run operations. The patch ensures that both environment secrets and task secrets return empty objects when task.isDryRun is true. For detailed information, refer to the GitHub Security Advisory GHSA-8wq8-6859-qx77 and the commit changes.
Workarounds
- Temporarily restrict or revoke scaffolder dry-run permissions for non-essential users until the patch can be applied
- If upgrading is not immediately possible, consider disabling the dry-run functionality at the API gateway level
- Remove or clear scaffolder.defaultEnvironment.secrets configuration temporarily if secrets are not essential for operations
- Implement additional API-level access controls to limit who can invoke dry-run endpoints
# Configuration example - Upgrade the scaffolder backend plugin
npm update @backstage/plugin-scaffolder-backend@^3.1.5
# Verify the installed version
npm list @backstage/plugin-scaffolder-backend
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
