@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

GHSA-8wq8-6859-qx77 · CVE-2026-32237

Published Mar 12, 2026 · Modified Mar 14, 2026

Description

Impact

Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly
redacted in log output but not in all parts of the response payload.

Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.

Patches

This is patched in @backstage/plugin-scaffolder-backend version 3.1.5

Workarounds

Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the
permissions framework.

References

Backstage Scaffolder Backend documentation

References

WEB https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32237
WEB https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce
PACKAGE https://github.com/backstage/backstage

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes