CVE-2026-32237 MEDIUM

CVE-2026-32237: @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Vendor @Backstage

Product plugin-scaffolder-backend

Weakness CWE-200 · Info exposure

Published March 12, 2026

Last update March 12, 2026

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

Key dates

02Disclosure timeline

March 12, 2026 CVE published

March 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32237 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2026-47165 ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model CVE-2024-34004 moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup CVE-2024-8461 D-Link DNS-320 Web Management Interface discovery.cgi information disclosure CVE-2017-20019 Solare Solar-Log Config information disclosure CVE-2025-2228 Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.8 - Authenticated (Contributor+) Sensitive Information Exposure