CVE-2026-32237

{"id": "CVE-2026-32237", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-12T19:16:19.040", "references": [{"url": "https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrollador. Antes de la versi\u00f3n 3.1.5, los usuarios autenticados con permiso para ejecutar 'dry-runs' de scaffolder pueden obtener acceso a secretos de entorno configurados en el servidor a trav\u00e9s de la respuesta de la API del 'dry-run'. Los secretos se redactan correctamente en la salida de registro, pero no en todas las partes de la carga \u00fatil de la respuesta. Las implementaciones que han configurado scaffolder.defaultEnvironment.secrets se ven afectadas. Esto se ha parcheado en la versi\u00f3n 3.1.5 de @backstage/plugin-scaffolder-backend."}], "lastModified": "2026-04-30T18:34:38.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage\\/plugin-scaffolder-backend:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "39A36240-5656-4C93-8F48-8A0A8B3362C6", "versionEndExcluding": "3.1.5", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}