CVE-2026-32237
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Description
### Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. ### Patches This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5 ### Workarounds Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework. ### References - [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)
How to fix CVE-2026-32237
To remediate CVE-2026-32237, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.5 or later
Is CVE-2026-32237 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.1.0, < 3.1.5