SCA: security update for @backstage/backend-defaults, @backstage/plugin-scaffolder-backend, @backstage/plugin-scaffolder-node (GHSA-rq6q-wr2q-7pgp)

critical Tenable Cloud Security Plugin ID 436877

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive
extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to
create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log`
action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files,
secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the
workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious
symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates.
This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0;
`@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-
scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some
workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to
creating and updating templates, restrict who can create and execute Scaffolder templates using the
permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized
environment with limited filesystem access. (CVE-2026-24046)

See Also

https://github.com/advisories/GHSA-rq6q-wr2q-7pgp

Plugin Details

Severity: Critical

ID: 436877

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/22/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Percentile: 57.49

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:N/A:P

CVSS Score Source: CVE-2026-24046

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/21/2026

Reference Information

CVE: CVE-2026-24046