Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.4
Backstage Scaffolder Backend: Default Environment Secrets Leak
GHSA-8wq8-6859-qx77
CVE-2026-32237
Summary
Authenticated users with permission to run dry-runs on Backstage's Scaffolder Backend can access server-configured environment secrets. This is fixed in version 3.1.5. To avoid the issue, either remove default environment secrets from your app's config or limit access to the dry-run feature.
What to do
- Update backstage plugin-scaffolder-backend to version 3.1.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| backstage | plugin-scaffolder-backend | > 3.1.0 , <= 3.1.5 | 3.1.5 |
Original title
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Original description
### Impact
Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly
redacted in log output but not in all parts of the response payload.
Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected.
### Patches
This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5
### Workarounds
Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the
permissions framework.
### References
- [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)
Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly
redacted in log output but not in all parts of the response payload.
Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected.
### Patches
This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5
### Workarounds
Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the
permissions framework.
### References
- [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)
ghsa CVSS3.1
4.4
Vulnerability type
CWE-200
Information Exposure
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026