{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32237", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.684Z", "datePublished": "2026-03-12T18:38:57.156Z", "dateUpdated": "2026-03-12T20:46:35.503Z"}, "containers": {"cna": {"title": "@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77"}, {"name": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce"}], "affected": [{"vendor": "@backstage", "product": "plugin-scaffolder-backend", "versions": [{"version": "< 3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:38:57.156Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5."}], "source": {"advisory": "GHSA-8wq8-6859-qx77", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:38:11.609691Z", "id": "CVE-2026-32237", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:46:35.503Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:38:11.609691Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:38:12.324Z"}}], "cna": {"title": "@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint", "source": {"advisory": "GHSA-8wq8-6859-qx77", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "@backstage", "product": "plugin-scaffolder-backend", "versions": [{"status": "affected", "version": "< 3.1.5"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce", "name": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:38:57.156Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32237", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:46:35.503Z", "dateReserved": "2026-03-11T14:47:05.684Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:38:57.156Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/plugin-scaffolder-backend:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "39A36240-5656-4C93-8F48-8A0A8B3362C6", "versionEndExcluding": "3.1.5", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrollador. Antes de la versi\u00f3n 3.1.5, los usuarios autenticados con permiso para ejecutar 'dry-runs' de scaffolder pueden obtener acceso a secretos de entorno configurados en el servidor a trav\u00e9s de la respuesta de la API del 'dry-run'. Los secretos se redactan correctamente en la salida de registro, pero no en todas las partes de la carga \u00fatil de la respuesta. Las implementaciones que han configurado scaffolder.defaultEnvironment.secrets se ven afectadas. Esto se ha parcheado en la versi\u00f3n 3.1.5 de @backstage/plugin-scaffolder-backend."}], "id": "CVE-2026-32237", "lastModified": "2026-04-30T18:34:38.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T19:16:19.040", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "@backstage/plugin-scaffolder-backend: @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint", "id": "2447080", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447080"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-497", "details": ["A data exposure flaw has been discovered in the @backstage/plugin-scaffolder-backend npm library. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32237", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-12T18:38:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32237\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32237\nhttps://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce\nhttps://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "plugin-scaffolder-backend", "source": "cna", "vendor": "@backstage"}, "product": "plugin-scaffolder-backend", "vendor": "backstage"}], "analysis": {"en": {"generated_at": "2026-03-19T22:35:36.161852+00:00", "value": {"mitigation_remediation": ["Upgrade @backstage/plugin-scaffolder-backend to version 3.1.5 or newer", "Review and remove or securely manage any scaffolder.defaultEnvironment.secrets if possible", "If upgrade is not yet feasible, restrict dry\u2011run permissions to trusted users only", "Verify that any logs or responses no longer contain unredacted secrets after remediation"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is @backstage:plugin-scaffolder-backend. All deployments using a version prior to 3.1.5 that have configured scaffolder.defaultEnvironment.secrets are impacted. The common platform enumeration string for the affected platform is cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*.*", "description_and_impact": "Backstage is an open framework for building developer portals. Prior to version 3.1.5, an authenticated user with permission to execute scaffolder dry\u2011runs can gain access to server\u2011configured environment secrets via the dry\u2011run API response; the payload does not fully redact secrets, which can expose sensitive data. This flaw represents a information disclosure weakness (CWE\u2011200) and a related data handling issue (CWE\u2011497).", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploit requires authentication and permission to run dry\u2011runs, and is limited to the specific configured environment secrets of the deployment. The official fix is included in version 3.1.5 of the plugin, which fully redacts secrets from the dry\u2011run response."}}}}, "created": "2026-03-13T09:50:16.615376+00:00", "updated": "2026-03-23T09:55:00.945401+00:00", "vendors": ["backstage", "backstage$PRODUCT$plugin-scaffolder-backend"]}