What is the severity of CVE-2026-24048?

CVE-2026-24048 has a CVSS v3 score of 3.5, which is classified as Low severity.

Is there an exploit available for CVE-2026-24048?

No known public exploits are currently available for CVE-2026-24048.

Is there a patch available for CVE-2026-24048?

Yes, patches are available for CVE-2026-24048. Check the vendor advisories for update instructions.

CVE-2026-24048 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-24048?

### Impact The `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. ### Patches This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. ### Workarounds - Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects - Ensure allowed hosts do not have open redirect vulnerabilities - Use network-level controls to block access from Backstage to sensitive internal endpoints ### References - [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)

Severity Scores

CVSS v33.5

CVSS v20.0

Priority Score225.0

EPSS Score0.0

Low

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

3.5

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds

Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
Ensure allowed hosts do not have open redirect vulnerabilities
Use network-level controls to block access from Backstage to sensitive internal endpoints

References

OWASP SSRF Prevention Cheat Sheet

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:High

Privileges Required:Local

User Interaction:Network

Scope:Changed

Confidentiality:Local

Integrity:Network

Availability:Network

Patch References

Github.com