Exposure of Sensitive System Information to an Unauthorized Control Sphere in @backstage/plugin-scaffolder-backend | CVE-2026-32237

Q: How to fix?

Upgrade @backstage/plugin-scaffolder-backend to version 3.1.5 or higher.

Introduced: 12 Mar 2026

NewCVE-2026-32237 (opens in a new tab) CWE-497 (opens in a new tab)

How to fix?

Upgrade @backstage/plugin-scaffolder-backend to version 3.1.5 or higher.

Overview

@backstage/plugin-scaffolder-backend is a The Backstage backend plugin that helps you create new things

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the dry-run endpoint when secrets configured in scaffolder.defaultEnvironment.secrets are included in the server configuration. An attacker can access sensitive environment secrets by executing dry-run operations and inspecting the API response payload, as these secrets are not properly redacted in all parts of the response.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Exposure of Sensitive System Information to an Unauthorized Control Sphere Affecting @backstage/plugin-scaffolder-backend package, versions >=3.1.0 <3.1.5

Severity

Do your applications use this vulnerable package?

Introduced: 12 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk