CVE-2026-44374

4.3 MEDIUM

Backstage is an open framework for building developer portals

Published: 2026-05-14 · Last updated: 2026-06-01

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-863

Affected products

Vendor	Product
linuxfoundation	backstage\/plugin-catalog-backend-module-unprocessed, backstage\/plugin-catalog-unprocessed-entities, backstage\/plugin-catalog-unprocessed-entities-common

Description

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44374
[Vendor advisory]https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg

Related CVEs

Same vendor

CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
CVE-2026-37531 — AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-... (9.8 CRITICAL)
CVE-2026-37530 — AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library (7.5 HIGH)

Same CWE

CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-53738 — Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
CVE-2026-49824 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
CVE-2026-49823 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
CVE-2026-48860 — Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the dis...