Description

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

INFO

Published Date :

2026-03-07T15:03:51.422Z

Last Modified :

2026-03-09T20:24:16.895Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-29186 vulnerability.

Vendors Products
Backstage
  • Backstage
Linuxfoundation
  • Backstage Plugin-techdocs-node
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-29186.

URL Resource
https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-29186 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-29186 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact