Cyber Resilience

CVE-2026-24046

HighUpdated

Published: 21 January 2026

Published
21 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0039 30.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24046 is a high-severity Path Traversal (CWE-22) vulnerability in Redhat (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-24046 is a symlink-based path traversal vulnerability in multiple Scaffolder actions and archive extraction utilities within Backstage, an open framework for building developer portals. The issue affects any Backstage deployment where users can create or execute Scaffolder templates, enabling exploitation through symlinks that bypass intended filesystem boundaries.

An attacker with access to create and execute Scaffolder templates can leverage symlinks to read arbitrary files, such as /etc/passwd, configuration files, or secrets, via the debug:log action; delete arbitrary files outside the designated workspace using the fs:delete action; or write files outside the workspace by extracting malicious tar or zip archives containing symlinks. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution Before File Access).

Patches address the issue in @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend versions 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node versions 0.11.2 and 0.12.3, with users advised to upgrade to these or later versions. Workarounds include following the Backstage Threat Model to limit access to template creation and updates, restricting template creation and execution via the permissions framework, auditing existing templates for symlink usage, and deploying Backstage in a containerized environment with restricted filesystem access. Further details are in the GitHub security advisory at GHSA-rq6q-wr2q-7pgp and the fixing commit c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files…

more

via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Symlink path traversal enables arbitrary file read (T1005, T1552.001 for secrets/credentials) and deletion (T1070.004) via Scaffolder actions and archive extraction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33748Shared CWE-22, CWE-59
CVE-2026-24842Shared CWE-22, CWE-59
CVE-2026-6941Shared CWE-22, CWE-59
CVE-2026-33166Shared CWE-22
CVE-2026-4659Shared CWE-22
CVE-2026-23491Shared CWE-22
CVE-2025-1035Shared CWE-22
CVE-2026-0651Shared CWE-22
CVE-2026-24849Shared CWE-22
CVE-2025-2292Shared CWE-22

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces filesystem access boundaries so that Scaffolder template actions cannot follow attacker-supplied symlinks outside the intended workspace.

prevent

Restricts template creation and execution privileges to only the minimal set of users, directly implementing the permissions-framework workaround for this CVE.

prevent

Requires prompt application of the listed Backstage package patches that close the symlink path-traversal flaw in the affected actions.

References