Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Backstage Scaffolder Backend Exposes User Session Tokens
GHSA-8qp7-fhr9-fw53
CVE-2026-29184
GHSA-8qp7-fhr9-fw53
Summary
A malicious Backstage Scaffolder template can steal sensitive user session data. This happens when a malicious template is created and used by an unsuspecting user. To protect against this, update to the latest version of the Scaffolder Backend plugin or implement custom permissions to limit who can access task logs and register templates.
What to do
- Update backstage plugin-scaffolder-backend to version 3.1.4.
- Update backstage @backstage/plugin-scaffolder-backend to version 3.1.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| backstage | plugin-scaffolder-backend | <= 3.1.3 | 3.1.4 |
| backstage | @backstage/plugin-scaffolder-backend | <= 3.1.4 | 3.1.4 |
Original title
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass
Original description
### Impact
A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.
The attack requires:
- The ability to register a template in the catalog
- A victim who executes the malicious template
### Patches
Patched in `@backstage/plugin-scaffolder-backend` version 3.1.4
### Workarounds
- Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
- Restrict who can register templates in the catalog to trusted users only
### Resources
- Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/
- Backstage Threat Model: https://backstage.io/docs/overview/threat-model/
A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.
The attack requires:
- The ability to register a template in the catalog
- A victim who executes the malicious template
### Patches
Patched in `@backstage/plugin-scaffolder-backend` version 3.1.4
### Workarounds
- Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
- Restrict who can register templates in the catalog to trusted users only
### Resources
- Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/
- Backstage Threat Model: https://backstage.io/docs/overview/threat-model/
ghsa CVSS3.1
2.0
Vulnerability type
CWE-532
Insertion of Sensitive Information into Log File
- https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53
- https://backstage.io/docs/overview/threat-model
- https://backstage.io/docs/permissions/plugin-authors/01-setup
- https://github.com/advisories/GHSA-8qp7-fhr9-fw53
- https://nvd.nist.gov/vuln/detail/CVE-2026-29184
- https://github.com/backstage/backstage Product
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026