CVE-2026-24046
Published: 21 January 2026
Summary
CVE-2026-24046 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink path traversal enables arbitrary file read (T1005, T1552.001 for secrets/credentials) and deletion (T1070.004) via Scaffolder actions and archive extraction.
NVD Description
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files…
more
via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
Deeper analysisAI
CVE-2026-24046 is a symlink-based path traversal vulnerability in multiple Scaffolder actions and archive extraction utilities within Backstage, an open framework for building developer portals. The issue affects any Backstage deployment where users can create or execute Scaffolder templates, enabling exploitation through symlinks that bypass intended filesystem boundaries.
An attacker with access to create and execute Scaffolder templates can leverage symlinks to read arbitrary files, such as /etc/passwd, configuration files, or secrets, via the debug:log action; delete arbitrary files outside the designated workspace using the fs:delete action; or write files outside the workspace by extracting malicious tar or zip archives containing symlinks. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution Before File Access).
Patches address the issue in @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend versions 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node versions 0.11.2 and 0.12.3, with users advised to upgrade to these or later versions. Workarounds include following the Backstage Threat Model to limit access to template creation and updates, restricting template creation and execution via the permissions framework, auditing existing templates for symlink usage, and deploying Backstage in a containerized environment with restricted filesystem access. Further details are in the GitHub security advisory at GHSA-rq6q-wr2q-7pgp and the fixing commit c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d.
Details
- CWE(s)