CVE-2026-3118 MEDIUM

CVE-2026-3118: Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin

Weakness CWE-89 · SQLi

Published February 25, 2026

Last update May 5, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

Key dates

02Disclosure timeline

February 25, 2026 CVE published

May 5, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3118

Related vulnerabilities

CVE-2026-3118: Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin

01Description

02Disclosure timeline

03References

04Related CVE