CVE-2026-29186
Published: 07 March 2026
Summary
CVE-2026-29186 is a high-severity Injection (CWE-74) vulnerability in Linuxfoundation Backstage Plugin-Techdocs-Node. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of software flaws like the allowlist gap in @backstage/plugin-techdocs-node, as patched in version 1.14.3 to prevent arbitrary Python code execution.
Mandates validation of inputs such as malicious mkdocs.yml files to neutralize special elements and block bypass of TechDocs security controls leading to code execution.
Enforces secure configuration settings for the TechDocs documentation build process to address gaps in MkDocs configuration filtering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in network-accessible Backstage TechDocs build process allows arbitrary Python code execution via malicious mkdocs.yml config bypass, directly enabling T1190 (public-facing app exploitation) and T1059.006 (Python interpreter abuse).
NVD Description
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build…
more
process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
Deeper analysisAI
CVE-2026-29186 is a configuration bypass vulnerability in the @backstage/plugin-techdocs-node package of Backstage, an open framework for building developer portals. Affecting versions prior to 1.14.3, the flaw stems from a gap in the allowlist used to filter dangerous MkDocs configuration keys during the TechDocs documentation build process. This allows attackers to craft a malicious mkdocs.yml file that triggers arbitrary Python code execution, fully bypassing TechDocs' security controls. The vulnerability is rated 7.7 on the CVSS 3.1 scale (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L) and is associated with CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An attacker with low privileges, such as a authenticated user able to submit or influence TechDocs documentation builds over the network, can exploit this vulnerability despite its high attack complexity and lack of user interaction requirements. By exploiting the allowlist gap, the attacker achieves arbitrary Python code execution on the server during the MkDocs build process, potentially leading to high confidentiality impacts, scope changes, and limited integrity or availability disruptions.
The GitHub Security Advisory (GHSA-928r-fm4v-mvrw) confirms the issue has been patched in Backstage version 1.14.3, recommending immediate upgrades to mitigate the risk of arbitrary code execution.
Details
- CWE(s)