CVE-2026-32237: @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-32237

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Source: NVD (National Vulnerability Database)

Vulnerability Description

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

Backstage 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Backstage是Backstage开源的一个应用软件。后台是一个开放的平台,用于构建开发者门户。 Backstage 3.1.5之前版本存在信息泄露漏洞，该漏洞源于具有执行脚手架试运行权限的已验证用户可通过试运行API响应访问服务器配置的环境密钥。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
@backstage	plugin-scaffolder-backend	< 3.1.5	-

II. Public POCs for CVE-2026-32237

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-32237

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same vendor: @backstage

Same weakness: CWE-200

V. Comments for CVE-2026-32237

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-32237

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-32237

III. Intelligence Information for CVE-2026-32237

IV. Related Vulnerabilities

V. Comments for CVE-2026-32237

Leave a comment