Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Red Hat Backstage Orchestrator Plugin Crashes with Malicious Input
CVE-2026-3118
Summary
An authenticated user can crash the Backstage application by sending special input, causing a temporary Denial of Service. This means the platform will shut down, and users won't be able to access it. Update your Backstage application to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| redhat | developer_hub | All versions | – |
Original title
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated use...
Original description
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://access.redhat.com/security/cve/CVE-2026-3118 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2442273 Issue Tracking Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026