Listen to this Post
The vulnerability, identified as CVE-2026-32237, resides in the `@backstage/plugin-scaffolder-backend` and allows authenticated users with permission to execute software template “dry-runs” to access sensitive server-configured environment secrets . The issue stems from incomplete redaction in the API response payload. While secrets are properly masked in log outputs, they are unintentionally exposed in other parts of the response when a dry-run is executed . This affects any Backstage deployment that leverages the `scaffolder.defaultEnvironment.secrets` configuration to inject common secrets into its software templates . The flaw is present in versions from 3.1.0 up to, but not including, 3.1.5 . An attacker could exploit this by simply performing a dry-run of a scaffolder template and inspecting the full API response for data that should have been redacted.
dailycve form:
Platform: Backstage
Version: 3.1.0 to 3.1.4
Vulnerability : Information Exposure
Severity: Moderate (CVSS 4.4)
date: March 11, 2026
Prediction: Patched (3.1.5 released)
What Undercode Say:
Analytics
This vulnerability is concerning as it bypasses the intended security of defaultEnvironment.secrets, a feature designed to securely inject secrets from environment variables into templating actions . The flaw lies in the redaction logic within the dry-run endpoint’s response formatter, which fails to scrub the data from all nested objects or fields in the JSON payload . Deployments using this feature are highly susceptible to internal information disclosure, potentially exposing cloud provider keys or API tokens.
How Exploit
An attacker with low-level privileges (PR:H) could exploit this by sending a crafted request to the dry-run API endpoint. The following is a conceptual example of the attack vector.
1. Authenticate and obtain a session token (example)
curl -X POST https://backstage-instance.com/api/auth/login -d '{"user":"attacker","pass":"compromised"}'
2. Execute a dry-run on a known template
curl -X POST https://backstage-instance.com/api/scaffolder/v2/tasks/execute-dry-run \
-H "Authorization: Bearer <TOKEN>" \
-d '{"templateRef":"template:default/simple-template"}'
3. Inspect the full response for unredacted secrets
The response might contain a structure like:
{
"logs": [...],
"output": {
"secretToken": "s3cr3t-value", // <-- Unredacted exposure
"deploymentKey": "..."
}
}
Protection from this CVE
Immediate mitigation steps can be taken without a full upgrade.
Workaround 1: Remove secrets from the configuration file (app-config.yaml)
Edit the file and comment out or empty the secrets block
scaffolder:
defaultEnvironment:
secrets:
AWS_ACCESS_KEY: ${AWS_ACCESS_KEY}
GITHUB_TOKEN: ${GITHUB_TOKEN}
parameters:
region: eu-west-1
Workaround 2: Restrict permissions via the permissions framework
Use the permission policy to deny access to the dry-run functionality
for non-admin users. Example policy logic:
if (request.permission.name === 'scaffolder.dry-run') {
return NotAllowed();
}
Permanent Fix: Upgrade to the patched version
yarn --cwd packages/backend add @backstage/[email protected]
Impact
A successful exploit leads to the exposure of sensitive environment secrets. This could include database passwords, cloud provider access keys, or API tokens that are centrally configured for the scaffolder . With these credentials, an attacker could pivot to other internal systems, escalate privileges, or tamper with software supply chain processes, leading to a broader compromise of the development infrastructure .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

