## Backstage Security Advisory: Critical Path Traversal Vulnerability in Scaffolder Actions (CVE-2026-24046)
A critical security vulnerability has been disclosed in Backstage, the popular open-source developer portal platform. The flaw, tracked as CVE-2026-24046, affects multiple Scaffolder actions and archive extraction utilities, leaving them vulnerable to symlink-based path traversal attacks. This vulnerability allows an attacker with access to create and execute software templates to potentially escape the intended sandbox, leading to unauthorized file system access and arbitrary file writes on the host system running the Backstage backend.

The vulnerability is present in the `@backstage/backend-defaults` package and related components. A security advisory published by the Backstage maintainers details the impact, confirming that the issue could be exploited to read or write files outside the designated workspace. The advisory prompted an immediate patch, resulting in the release of version 0.12.0 of `@backstage/backend-defaults`. The update is classified as a security fix, and the associated GitHub pull request explicitly tags it with a [SECURITY] label, underscoring its urgency.

This incident places immediate pressure on all organizations and development teams running self-hosted Backstage instances. The vulnerability's nature—path traversal via symlinks—is a classic and severe security pitfall that can lead to full system compromise if exploited. The fix requires updating the core backend dependency. The presence of a CVE identifier and a formal GitHub Security Advisory signals this is a coordinated disclosure of a high-severity issue. Teams must prioritize applying this patch to mitigate the risk of attackers leveraging template execution to breach the underlying infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, open-source, CVE-2026-24046, supply-chain
- **Credibility**: unverified
- **Published**: 2026-04-09 08:27:01
- **ID**: 56463
- **URL**: https://whisperx.ai/en/intel/56463