What is CVE-2026-24047?

### Impact The `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by: 1. **Symlink chains**: Creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory 2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. ### Patches This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. ### Workarounds - Run Backstage in a containerised environment with limited filesystem access - Restrict template creation to trusted users

What is the severity of CVE-2026-24047?

CVE-2026-24047 has a CVSS v3 score of 6.3, which is classified as Medium severity.

Is there an exploit available for CVE-2026-24047?

No known public exploits are currently available for CVE-2026-24047.

Is there a patch available for CVE-2026-24047?

Yes, patches are available for CVE-2026-24047. Check the vendor advisories for update instructions.

CVE-2026-24047 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.3

CVSS v20.0

Priority Score186.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.3

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

Patches

This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.

Workarounds

Run Backstage in a containerised environment with limited filesystem access
Restrict template creation to trusted users

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:High

Privileges Required:Local

User Interaction:Network

Scope:Changed

Confidentiality:High

Integrity:Network

Availability:Network

Patch References

Github.com