CVE-2026-24046
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Description
### Impact Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to: 1. **Read arbitrary files** via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets) 2. **Delete arbitrary files** via the `fs:delete` action by creating symlinks pointing outside the workspace 3. **Write files outside the workspace** via archive extraction (tar/zip) containing malicious symlinks This affects any Backstage deployment where users can create or execute Scaffolder templates. ### Patches This vulnerability is fixed in the following package versions: - `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, 0.15.0 - `@backstage/plugin-scaffolder-backend` version 2.2.2, 3.0.2, 3.1.1 - `@backstage/plugin-scaffolder-node` version 0.11.2, 0.12.3 Users should upgrade to these versions or later. ### Workarounds - Follow the recommendation in the [Backstage Threat Model](https://backstage.io/docs/overview/threat-model#scaffolder) to limit access to creating and updating templates - Restrict who can create and execute Scaffolder templates using the permissions framework - Audit existing templates for symlink usage - Run Backstage in a containerized environment with limited filesystem access ### References - [CWE-59: Improper Link Resolution Before File Access](https://cwe.mitre.org/data/definitions/59.html) - [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
How to fix CVE-2026-24046
To remediate CVE-2026-24046, upgrade the affected package to a fixed version below.
- —upgrade to 0.12.2 or later
- —upgrade to 2.2.2 or later
- —upgrade to 0.11.2 or later
Is CVE-2026-24046 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.