2442273 – (CVE-2026-3118) CVE-2026-3118 rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin

Bug 2442273 (CVE-2026-3118) - CVE-2026-3118 rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin

Summary: CVE-2026-3118 rhdh: GraphQL Injection Leading to Platform-Wide Denial of Serv...

Keywords:
Status:	NEW
Alias:	CVE-2026-3118
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-24 12:13 UTC by OSIDB Bzimport
Modified:	2026-02-25 11:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-24 12:13:46 UTC

GraphQL Injection vulnerability in the Orchestrator Plugin of RH Developer Hub (Backstage). The flaw is caused by improper neutralization of special characters within user-supplied input fields that are directly embedded into backend GraphQL queries. By submitting specially crafted JSON payloads containing malicious GraphQL fragments (e.g., manipulated orderBy or filter values), an authenticated attacker can break query structure and trigger unhandled exceptions. This results in the entire Backstage application crashing and automatically restarting, leading to a platform-wide Denial of Service. The vulnerability can be exploited remotely by any authenticated user without additional privileges or user interaction, causing a high impact on service availability.

Note You need to log in before you can comment on or make changes to this bug.