CVE-2026-24048 (GCVE-0-2026-24048)
Vulnerability from cvelistv5 – Published: 2026-01-21 22:51 – Updated: 2026-01-22 16:48
VLAI?
Title
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Summary
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T15:09:12.796088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T16:48:55.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.12.2"
},
{
"status": "affected",
"version": "\u003e= 0.13.0, \u003c 0.13.2"
},
{
"status": "affected",
"version": "\u003e= 0.14.0, \u003c 0.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T22:51:44.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9"
},
{
"name": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb"
}
],
"source": {
"advisory": "GHSA-q2x5-4xjx-c6p9",
"discovery": "UNKNOWN"
},
"title": "Backstage has a Possible SSRF when reading from allowed URL\u0027s in `backend.reading.allow`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24048",
"datePublished": "2026-01-21T22:51:44.015Z",
"dateReserved": "2026-01-20T22:30:11.778Z",
"dateUpdated": "2026-01-22T16:48:55.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-24048",
"date": "2026-04-17",
"epss": "0.00044",
"percentile": "0.13375"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-24048\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-21T23:15:53.580\",\"lastModified\":\"2026-04-09T14:47:17.040\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.\"},{\"lang\":\"es\",\"value\":\"Backstage es un framework abierto para construir portales de desarrolladores, y @backstage/backend-defaults proporciona las implementaciones y configuraci\u00f3n predeterminadas para una aplicaci\u00f3n backend est\u00e1ndar de Backstage. Antes de las versiones 0.12.2, 0.13.2, 0.14.1 y 0.15.0, el componente \u0027FetchUrlReader\u0027, utilizado por el cat\u00e1logo y otros plugins para obtener contenido de URLs, segu\u00eda las redirecciones HTTP autom\u00e1ticamente. Esto permit\u00eda a un atacante que controla un host listado en \u0027backend.reading.allow\u0027 redirigir peticiones a URLs internas o sensibles que no est\u00e1n en la lista de permitidos, eludiendo el control de seguridad de la lista de permitidos de URLs. Esta es una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) que podr\u00eda permitir el acceso a recursos internos, pero no permite a los atacantes incluir encabezados de petici\u00f3n adicionales. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.12.2, 0.13.2, 0.14.1 y 0.15.0 de \u0027@backstage/backend-defaults\u0027. Los usuarios deber\u00edan actualizar a esta versi\u00f3n o posterior. Hay disponibles algunas soluciones alternativas. Restrinja \u0027backend.reading.allow\u0027 solo a hosts de confianza que usted controle y que no emitan redirecciones, aseg\u00farese de que los hosts permitidos no tengan vulnerabilidades de redirecci\u00f3n abierta, y/o utilice controles a nivel de red para bloquear el acceso desde Backstage a puntos finales internos sensibles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:\\\\@backstage\\\\/backend_defaults:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"0.12.2\",\"matchCriteriaId\":\"993E0FA8-E99F-49CC-8138-16BB9BF34964\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:\\\\@backstage\\\\/backend_defaults:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"0.13.0\",\"versionEndIncluding\":\"0.13.2\",\"matchCriteriaId\":\"C2B1BB24-DE80-427A-8810-72244BB2B683\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:\\\\@backstage\\\\/backend_defaults:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"0.14.0\",\"versionEndIncluding\":\"0.14.1\",\"matchCriteriaId\":\"648260D7-A702-4EC9-AB2F-BCFA2812AA61\"}]}]}],\"references\":[{\"url\":\"https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24048\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T15:09:12.796088Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T15:09:14.747Z\"}}], \"cna\": {\"title\": \"Backstage has a Possible SSRF when reading from allowed URL\u0027s in `backend.reading.allow`\", \"source\": {\"advisory\": \"GHSA-q2x5-4xjx-c6p9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"backstage\", \"product\": \"backstage\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.12.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.13.0, \u003c 0.13.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.14.0, \u003c 0.14.1\"}]}], \"references\": [{\"url\": \"https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9\", \"name\": \"https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb\", \"name\": \"https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-21T22:51:44.015Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-24048\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T16:48:55.954Z\", \"dateReserved\": \"2026-01-20T22:30:11.778Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-21T22:51:44.015Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…