2445484 – (CVE-2026-29185) CVE-2026-29185 @backstage/integration: Backstage SCM Integration: Unauthorized access to SCM APIs via path traversal

Bug 2445484 (CVE-2026-29185) - CVE-2026-29185 @backstage/integration: Backstage SCM Integration: Unauthorized access to SCM APIs via path traversal

Summary: CVE-2026-29185 @backstage/integration: Backstage SCM Integration: Unauthorize...

Keywords:
Status:	NEW
Alias:	CVE-2026-29185
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-07 16:02 UTC by OSIDB Bzimport
Modified:	2026-03-09 19:54 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-07 16:02:16 UTC

Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.

Note You need to log in before you can comment on or make changes to this bug.