{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24048", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.778Z", "datePublished": "2026-01-21T22:51:44.015Z", "dateUpdated": "2026-01-22T16:48:55.954Z"}, "containers": {"cna": {"title": "Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9"}, {"name": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "< 0.12.2", "status": "affected"}, {"version": ">= 0.13.0, < 0.13.2", "status": "affected"}, {"version": ">= 0.14.0, < 0.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:51:44.015Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."}], "source": {"advisory": "GHSA-q2x5-4xjx-c6p9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:09:12.796088Z", "id": "CVE-2026-24048", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:48:55.954Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24048", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:09:12.796088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:09:14.747Z"}}], "cna": {"title": "Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`", "source": {"advisory": "GHSA-q2x5-4xjx-c6p9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "< 0.12.2"}, {"status": "affected", "version": ">= 0.13.0, < 0.13.2"}, {"status": "affected", "version": ">= 0.14.0, < 0.14.1"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb", "name": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:51:44.015Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24048", "state": "PUBLISHED", "dateUpdated": "2026-01-22T16:48:55.954Z", "dateReserved": "2026-01-20T22:30:11.778Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T22:51:44.015Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E08D45A6-7DA9-4A8F-8F55-9AF20C57D52F", "versionEndExcluding": "0.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EE49AAE8-2821-4862-926A-358CB9291669", "versionEndIncluding": "0.13.2", "versionStartIncluding": "0.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8C648CE5-74D9-4293-A373-CCAB072B2A96", "versionEndIncluding": "0.14.1", "versionStartIncluding": "0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrolladores, y @backstage/backend-defaults proporciona las implementaciones y configuraci\u00f3n predeterminadas para una aplicaci\u00f3n backend est\u00e1ndar de Backstage. Antes de las versiones 0.12.2, 0.13.2, 0.14.1 y 0.15.0, el componente 'FetchUrlReader', utilizado por el cat\u00e1logo y otros plugins para obtener contenido de URLs, segu\u00eda las redirecciones HTTP autom\u00e1ticamente. Esto permit\u00eda a un atacante que controla un host listado en 'backend.reading.allow' redirigir peticiones a URLs internas o sensibles que no est\u00e1n en la lista de permitidos, eludiendo el control de seguridad de la lista de permitidos de URLs. Esta es una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) que podr\u00eda permitir el acceso a recursos internos, pero no permite a los atacantes incluir encabezados de petici\u00f3n adicionales. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.12.2, 0.13.2, 0.14.1 y 0.15.0 de '@backstage/backend-defaults'. Los usuarios deber\u00edan actualizar a esta versi\u00f3n o posterior. Hay disponibles algunas soluciones alternativas. Restrinja 'backend.reading.allow' solo a hosts de confianza que usted controle y que no emitan redirecciones, aseg\u00farese de que los hosts permitidos no tengan vulnerabilidades de redirecci\u00f3n abierta, y/o utilice controles a nivel de red para bloquear el acceso desde Backstage a puntos finales internos sensibles."}], "id": "CVE-2026-24048", "lastModified": "2026-04-25T18:01:55.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-21T23:15:53.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@backstage/backend-defaults: Backstage SSRF when reading from allowed URL's in `backend.reading.allow`", "id": "2431884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431884"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-24048", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2026-01-21T22:51:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24048\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24048\nhttps://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb\nhttps://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:30:16.313164+00:00", "value": {"mitigation_remediation": ["Upgrade @backstage/backend-defaults to version\u00a00.12.2,\u00a00.13.2,\u00a00.14.1, or\u00a00.15.0 or later to fix the redirect issue.", "Restrict backend.reading.allow to only trusted hosts that do not issue redirects or have no open redirect vulnerabilities.", "Implement network\u2011level controls to block outbound requests from Backstage to sensitive internal endpoints, adding an extra layer of protection."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Backstage, the open framework for developer portals, and its backend-defaults component are affected. All versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 of @backstage/backend-defaults contain the vulnerability. Identified through the cpe mapping and vendor/product listing.", "description_and_impact": "The FetchUrlReader in @backstage/backend-defaults followed HTTP redirects automatically before certain releases, allowing an attacker controlling a host listed in backend.reading.allow to redirect to internal or sensitive URLs not on the allowlist. This bypasses the URL allowlist security control and results in a Server\u2011Side Request Forgery that can expose internal resources. The flaw does not allow injection of additional request headers.", "risk_and_exploitability": "The vulnerability has a CVSS v3.1 score of 3.5, placing it in the low severity range. The EPSS indicates an exploitation probability of less than 1%, and the CVE is not listed in the CISA KEV catalog. The explicit lack of support for header manipulation suggests that the attack vector primarily relies on redirect loops from allowed hosts. Given these characteristics, the risk is considered low in environments where allowed hosts can be compromised or are not strictly controlled."}}}}, "created": "2026-01-22T10:08:41.616773+00:00", "updated": "2026-04-18T15:45:04.261105+00:00", "vendors": ["backstage", "backstage$PRODUCT$backstage"]}