{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.714Z", "datePublished": "2026-03-07T15:03:18.226Z", "dateUpdated": "2026-03-09T20:24:16.597Z"}, "containers": {"cna": {"title": "@backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "< 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:03:18.226Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4."}], "source": {"advisory": "GHSA-8qp7-fhr9-fw53", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:14:42.814469Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:24:16.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:14:42.814469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:15:42.441Z"}}], "cna": {"title": "@backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass", "source": {"advisory": "GHSA-8qp7-fhr9-fw53", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "< 3.1.4"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:03:18.226Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29184", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:24:16.597Z", "dateReserved": "2026-03-04T14:44:00.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:03:18.226Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/plugin-scaffolder-backend:*:*:*:*:*:*:*:*", "matchCriteriaId": "05E69C9E-4CB6-4108-90BC-5C593044CA29", "versionEndExcluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrolladores. Antes de la versi\u00f3n 3.1.4, una plantilla de andamiaje maliciosa puede eludir el mecanismo de redacci\u00f3n de registros para exfiltrar secretos proporcionados que se ejecutan a trav\u00e9s de los registros de eventos de tareas. Este problema ha sido parcheado en la versi\u00f3n 3.1.4."}], "id": "CVE-2026-29184", "lastModified": "2026-04-25T18:01:46.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T15:15:55.080", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@backstage/plugin-scaffolder-backend: Backstage Scaffolder Backend: Information disclosure via malicious template bypassing log redaction", "id": "2445468", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445468"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-117", "details": ["Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-29184", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-07T15:03:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29184\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29184\nhttps://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "backstage", "source": "cna", "vendor": "backstage"}, "product": "backstage", "vendor": "backstage"}], "analysis": {"en": {"generated_at": "2026-04-16T10:56:29.150413+00:00", "value": {"mitigation_remediation": ["Upgrade Backstage to version\u202f3.1.4 or newer, which removes the log\u2011redaction bypass", "Ensure that log\u2011redaction is enabled and correctly configured for all log streams", "Restrict scaffolder template creation to a trusted whitelist and validate templates before deployment"], "summary": {"action": "Apply Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "Backstage, the open framework for developer portals, is affected in all releases prior to version 3.1.4. The issue has been patched in 3.1.4 and later versions.", "description_and_impact": "A malicious scaffolder template can bypass the log\u2011redaction mechanism in Backstage, allowing secrets such as session tokens to be written into task event logs. The vulnerability enables an attacker to exfiltrate sensitive data that should have been sanitized before logging, potentially compromising authentication tokens and other confidential information.", "risk_and_exploitability": "The CVSS score is 2, indicating a low severity assessment, and the EPSS score is less than 1\u202f%, suggesting a very low probability of public exploitation. However, the vulnerability can be exploited by an attacker who can supply or modify a scaffolder template. The attack requires the ability to insert custom templates into the Backstage instance, after which the template's execution will generate event logs that contain the leaked secrets. While the immediate risk is limited, the exposure of sensitive tokens could enable further compromise if additional system access is achieved."}}}}, "created": "2026-03-09T10:05:23.830003+00:00", "updated": "2026-04-16T11:00:10.653522+00:00", "vendors": ["backstage", "backstage$PRODUCT$backstage"]}