Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks — CVE-2026-44374
GHSA · GitHub · CVE-2026-44374
ID
CVE-2026-44374
CVE-2026-44374
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
4.3
4.3
Summary
### Impact The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. ### Patches This is patched in…
Product
npm: @backstage/plugin-catalog-unprocessed-entities-common | npm: @backstage/plugin-catalog-unprocessed-entities | npm: @backstage/plugin-catalog-backend-module-unprocessed
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.