Update dependency @backstage/plugin-scaffolder-backend [SECURITY]

[backstage-goalie]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-scaffolder-backend (source)	^2.1.0 → ^3.0.0
@backstage/plugin-scaffolder-backend (source)	3.0.0 → 3.1.4
@backstage/plugin-scaffolder-backend (source)	3.1.4 → 3.1.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

• @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
• @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
• @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds

• Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
• Restrict who can create and execute Scaffolder templates using the permissions framework
• Audit existing templates for symlink usage
• Run Backstage in a containerized environment with limited filesystem access

References

• CWE-59: Improper Link Resolution Before File Access
• OWASP Path Traversal

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

• https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
• https://nvd.nist.gov/vuln/detail/CVE-2026-24046
• https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass

CVE-2026-29184 / GHSA-8qp7-fhr9-fw53

More information

Details

Impact

A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.

The attack requires:

• The ability to register a template in the catalog
• A victim who executes the malicious template

Patches

Patched in @backstage/plugin-scaffolder-backend version 3.1.4

Workarounds

• Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
• Restrict who can register templates in the catalog to trusted users only

Resources

• Backstage Scaffolder permissions documentation: https://backstage.io/docs/permissions/plugin-authors/01-setup/
• Backstage Threat Model: https://backstage.io/docs/overview/threat-model/

Severity

• CVSS Score: 2.0 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53
• https://nvd.nist.gov/vuln/detail/CVE-2026-29184
• https://backstage.io/docs/overview/threat-model
• https://backstage.io/docs/permissions/plugin-authors/01-setup
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

CVE-2026-32237 / GHSA-8wq8-6859-qx77

More information

Details

Impact

Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly
redacted in log output but not in all parts of the response payload.

Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.

Patches

This is patched in @backstage/plugin-scaffolder-backend version 3.1.5

Workarounds

Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the
permissions framework.

References

• Backstage Scaffolder Backend documentation

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77
• https://nvd.nist.gov/vuln/detail/CVE-2026-32237
• https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v3.1.4

Compare Source

Patch Changes

• 4e39e63: Removed unused dependencies
• Updated dependencies
  • @​backstage/integration@​1.21.0-next.0
  • @​backstage/plugin-catalog-node@​2.1.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/backend-openapi-utils@​0.6.7-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-events-node@​0.4.20-next.0
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-permission-node@​0.10.11-next.0
  • @​backstage/plugin-scaffolder-common@​1.7.7-next.0
  • @​backstage/plugin-scaffolder-node@​0.12.6-next.0

v3.1.3

Compare Source

Patch Changes

• 7455dae: Use node prefix on native imports
• 4fc7bf0: Removed unused dependency
• 0ce78b0: Support if conditions inside each loops for scaffolder steps
• 5e3ef57: Added peerModules metadata declaring recommended modules for cross-plugin integrations.
• 8148621: Moved @backstage/backend-defaults from dependencies to devDependencies.
• 1e669cc: Migrate audit events reference docs to http://backstage.io/docs.
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.3
  • @​backstage/integration@​1.20.0
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.17
  • @​backstage/plugin-catalog-node@​2.0.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.3
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.19
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.18
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.6
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.18
  • @​backstage/backend-openapi-utils@​0.6.6
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.7
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/plugin-scaffolder-node@​0.12.5
  • @​backstage/plugin-auth-node@​0.6.13
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-permission-node@​0.10.10
  • @​backstage/plugin-events-node@​0.4.19
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.18
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.18
  • @​backstage/plugin-scaffolder-common@​1.7.6

v3.1.2

Compare Source

Patch Changes

• 7455dae: Use node prefix on native imports
• 4fc7bf0: Removed unused dependency
• 1e669cc: Migrate audit events reference docs to http://backstage.io/docs.
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.17-next.0
  • @​backstage/plugin-catalog-node@​1.21.0-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.2-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.19-next.0
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.18-next.0
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.5-next.0
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.2-next.0
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.18-next.0
  • @​backstage/backend-openapi-utils@​0.6.6-next.0
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.7-next.0
  • @​backstage/backend-plugin-api@​1.7.0-next.0
  • @​backstage/backend-defaults@​0.15.1-next.0
  • @​backstage/plugin-scaffolder-node@​0.12.4-next.0
  • @​backstage/integration@​1.19.3-next.0
  • @​backstage/plugin-auth-node@​0.6.12-next.0
  • @​backstage/plugin-permission-common@​0.9.5-next.0
  • @​backstage/plugin-permission-node@​0.10.9-next.0
  • @​backstage/plugin-events-node@​0.4.19-next.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.18-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.18-next.0
  • @​backstage/plugin-scaffolder-common@​1.7.6-next.0

v3.1.1

Compare Source

Patch Changes

• 5012852: Remove unused abort controller in debug:wait action
• c641c14: Wrap some of the action logic with resolveSafeChildPath and improve symlink handling when fetching remote and local files
• 27f9061: REwrite]
• 872eb91: Upgrade zod-to-json-schema to latest version
• Updated dependencies
  • @​backstage/backend-defaults@​0.15.0
  • @​backstage/backend-plugin-api@​1.6.1
  • @​backstage/plugin-scaffolder-node@​0.12.3
  • @​backstage/integration@​1.19.2
  • @​backstage/backend-openapi-utils@​0.6.5
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.4
  • @​backstage/plugin-auth-node@​0.6.11
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.17
  • @​backstage/plugin-permission-common@​0.9.4
  • @​backstage/plugin-permission-node@​0.10.8
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.6
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.18
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.1
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.1
  • @​backstage/plugin-scaffolder-common@​1.7.5

v3.1.0

Compare Source

Minor Changes

• a4cd405: Add defaultEnvironment config to scaffolder to enable more flexible and custom templates. Now it's possible enable access to default parameters and secrets in templates, improving security and reducing complexity.

Patch Changes

• be5972b: Fixed a bug where config was not passed to NunjucksWorkflowRunner, causing defaultEnvironment to be undefined
• de96a60: chore(deps): bump express from 4.21.2 to 4.22.0
• 2bae83a: Updated isolated-vm to 6.0.1
• 25b560e: Internal change to support new versions of the logform library
• 8f4aded: Fixing OpenAPI definition
• 1226647: Updated dependency esbuild to ^0.27.0.
• Updated dependencies
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.0
  • @​backstage/integration@​1.19.0
  • @​backstage/plugin-auth-node@​0.6.10
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.0
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.5
  • @​backstage/backend-defaults@​0.14.0
  • @​backstage/backend-openapi-utils@​0.6.4
  • @​backstage/plugin-events-node@​0.4.18
  • @​backstage/plugin-permission-node@​0.10.7
  • @​backstage/backend-plugin-api@​1.6.0
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.3
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.17
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.15
  • @​backstage/plugin-catalog-node@​1.20.1
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.16
  • @​backstage/plugin-scaffolder-common@​1.7.4
  • @​backstage/plugin-scaffolder-node@​0.12.2

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

Patch Changes

• 05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript's erasableSyntaxOnly setting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.
• Updated dependencies
  • @​backstage/backend-defaults@​0.13.1
  • @​backstage/plugin-catalog-node@​1.20.0
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.16
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.4
  • @​backstage/integration@​1.18.2
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.10.0
  • @​backstage/backend-plugin-api@​1.5.0
  • @​backstage/plugin-permission-common@​0.9.3
  • @​backstage/plugin-events-node@​0.4.17
  • @​backstage/plugin-auth-node@​0.6.9
  • @​backstage/config@​1.3.6
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/plugin-scaffolder-node@​0.12.1
  • @​backstage/backend-openapi-utils@​0.6.3
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.14
  • @​backstage/plugin-permission-node@​0.10.6
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.15
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.2
  • @​backstage/plugin-scaffolder-common@​1.7.3

v3.0.0

Compare Source

Major Changes

• 9b81a90: BREAKING - Removing the deprecated types and interfaces, there's no replacement for these types, and hopefully not currently used as they offer no value with the plugin being on the new backend system and no way to consume them.

  Affected types: CreateWorkerOptions, CurrentClaimedTask, DatabaseTaskStore, DatabaseTaskStoreOptions, TaskManager, TaskStore, TaskStoreCreateTaskOptions, TaskStoreCreateTaskResult, TaskStoreEmitOptions, TaskStoreListEventsOptions, TaskStoreRecoverTaskOptions, TaskStoreShutDownTaskOptions, TaskWorker and TemplateActionRegistry.

Patch Changes

• f222a2e: Fixed distributed actions not being visible in the scaffolder template actions.

  Depending on the plugin startup order, some of the distributed actions were not being registered correctly,
  causing them to be invisible in the scaffolder template actions list.

• Updated dependencies

  • @​backstage/backend-defaults@​0.13.0
  • @​backstage/integration@​1.18.1
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.15
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.1
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.9.6
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.14
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.14
  • @​backstage/plugin-scaffolder-node@​0.12.0
  • @​backstage/config@​1.3.5
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.3
  • @​backstage/backend-openapi-utils@​0.6.2
  • @​backstage/backend-plugin-api@​1.4.4
  • @​backstage/plugin-auth-node@​0.6.8
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.13
  • @​backstage/plugin-catalog-node@​1.19.1
  • @​backstage/plugin-events-node@​0.4.16
  • @​backstage/plugin-permission-common@​0.9.2
  • @​backstage/plugin-permission-node@​0.10.5
  • @​backstage/plugin-scaffolder-common@​1.7.2

v2.2.3

Compare Source

v2.2.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[backstage-service]

👋 Reminder: This Renovate patch/minor PR has been open for 7 days.

Please review and merge if the changes look good. If no action is taken, this PR will be labeled force-merge in 7 days.

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/report-portal/packages/backend	none	v0.0.7