Description

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

INFO

Published Date :

2026-03-12T18:38:57.156Z

Last Modified :

2026-03-12T20:46:35.503Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32237 vulnerability.

Vendors Products
Backstage
  • Plugin-scaffolder-backend
Linuxfoundation
  • Backstage\/plugin-scaffolder-backend
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32237.

URL Resource
https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce cve-icon cve-icon cve-icon
https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-32237 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-32237 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact