CVE-2026-29186

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:backstage_plugin-techdocs-node:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-07 15:15

Updated : 2026-03-11 18:00

NVD link : CVE-2026-29186

Mitre link : CVE-2026-29186

CVE.ORG link : CVE-2026-29186

JSON object : View

Products Affected

linuxfoundation

backstage_plugin-techdocs-node

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-29186", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-07T15:15:55.400", "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrolladores. Antes de la versi\u00f3n 1.14.3, esta es una vulnerabilidad de omisi\u00f3n de configuraci\u00f3n que permite la ejecuci\u00f3n de c\u00f3digo arbitrario. El paquete @backstage/plugin-techdocs-node utiliza una lista de permitidos para filtrar claves de configuraci\u00f3n peligrosas de MkDocs durante el proceso de compilaci\u00f3n de la documentaci\u00f3n. Una brecha en esta lista de permitidos permite a los atacantes crear un mkdocs.yml que provoca la ejecuci\u00f3n de c\u00f3digo Python arbitrario, eludiendo completamente los controles de seguridad de TechDocs. Este problema ha sido parcheado en la versi\u00f3n 1.14.3."}], "lastModified": "2026-03-11T18:00:01.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage_plugin-techdocs-node:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "320379D5-BAE8-4314-92DF-83E3D2B8A4B8", "versionEndExcluding": "1.14.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}