CVE-2026-24047

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24047

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24047.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24047

Aliases

GHSA-2p49-45hj-7mc9

Published

2026-01-21T22:45:06.956Z

Modified

2026-03-14T12:50:33.636631Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Details

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24047.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-59",
        "CWE-61"
    ]
}

References

Affected packages

Git / github.com/backstage/backstage

Affected ranges

Type: GIT
Repo: https://github.com/backstage/backstage
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ae4dd5d1572a4f639e1a466fd982656b50f8e692

Affected versions

Other

cli-old-cache-watch

hackweek-demo

release-2021-01-07

release-2021-01-08

release-2021-01-09

release-2021-01-14

release-2021-01-18

release-2021-01-20

release-2021-01-21

release-2021-01-28

release-2021-01-29

release-2021-02-01

release-2021-02-03

release-2021-02-05

release-2021-02-11

release-2021-02-16

release-2021-02-18

release-2021-02-23

release-2021-03-04

release-2021-03-09

release-2021-03-11

release-2021-03-16

release-2021-03-17

release-2021-03-18

release-2021-03-19

release-2021-03-25

release-2021-03-31

release-2021-04-08

release-2021-04-13

release-2021-04-15

release-2021-04-21

release-2021-04-22

release-2021-04-29

release-2021-05-04

release-2021-05-06

release-2021-05-10

release-2021-05-11

release-2021-05-12

release-2021-05-17

release-2021-05-20

release-2021-05-27

release-2021-05-31

release-2021-06-01

release-2021-06-03

release-2021-06-10

release-2021-06-17

release-2021-06-18

release-2021-06-21

release-2021-06-24

release-2021-06-28

release-2021-07-01

release-2021-07-07

release-2021-07-08

release-2021-07-14

release-2021-07-15

release-2021-07-16

release-2021-07-22

release-2021-07-29

release-2021-08-03

release-2021-08-05

release-2021-08-11

release-2021-08-12

release-2021-08-17

release-2021-08-19

release-2021-08-20

release-2021-08-26

release-2021-08-31

release-2021-09-02

release-2021-09-09

release-2021-09-14

release-2021-09-16

release-2021-09-17

release-2021-09-21

release-2021-09-23

release-2021-09-28

release-2021-09-30

release-2021-1-7

release-2021-10-04

release-2021-10-06

release-2021-10-07

release-2021-10-11

release-2021-10-13

release-2021-10-14

release-2021-10-16

release-2021-10-19

release-2021-10-21

release-2021-10-22

release-2021-10-28

release-2021-10-29

release-2021-11-08

release-2021-11-11

release-2021-11-12

release-2021-11-17

release-2021-11-18

release-2021-11-19

release-2021-11-25

release-2021-12-02

release-2021-12-07

release-2021-12-09

release-2021-12-10

release-2021-12-16

release-2021-12-23

release-2021-12-24

release-2021-12-30

release-2022-01-04

release-2022-01-13

release-2022-01-18

release-2022-01-20

release-2022-01-27

release-2021-01-14.*

release-2021-01-14.1

release-2021-01-21.*

release-2021-01-21.1

release-2021-03-11.*

release-2021-03-11.1

release-2021-03-31.*

release-2021-03-31.1

release-2021-04-22.*

release-2021-04-22.1

release-2021-05-12.*

release-2021-05-12.1

release-2021-05-20.*

release-2021-05-20.1

release-2021-06-10.*

release-2021-06-10.1

release-2021-06-17.*

release-2021-06-17.1

release-2021-06-21.*

release-2021-06-21.1

release-2021-07-14.*

release-2021-07-14.1

release-2021-10-29.*

release-2021-10-29.1

release-2021-11-11.*

release-2021-11-11.1

release-2021-11-17.*

release-2021-11-17.1

release-2022-01-20.*

release-2022-01-20.1

v0.*

v0.1.0

v0.1.1

v0.1.1-alpha.0

v0.1.1-alpha.1

v0.1.1-alpha.10

v0.1.1-alpha.11

v0.1.1-alpha.12

v0.1.1-alpha.13

v0.1.1-alpha.15

v0.1.1-alpha.16

v0.1.1-alpha.17

v0.1.1-alpha.18

v0.1.1-alpha.19

v0.1.1-alpha.2

v0.1.1-alpha.20

v0.1.1-alpha.21

v0.1.1-alpha.22

v0.1.1-alpha.23

v0.1.1-alpha.24

v0.1.1-alpha.25

v0.1.1-alpha.26

v0.1.1-alpha.3

v0.1.1-alpha.4

v0.1.1-alpha.5

v0.1.1-alpha.6

v0.1.1-alpha.7

v0.1.1-alpha.8

v0.1.1-alpha.9

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.1

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.29.2

v0.3.0

v0.3.1

v0.3.2

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.33.1

v0.33.2

v0.33.3

v0.34.0

v0.34.1

v0.35.0

v0.35.1

v0.36.0

v0.36.1

v0.36.2

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.40.0

v0.40.1

v0.41.0

v0.41.1

v0.42.0

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.46.1

v0.47.0

v0.47.1

v0.47.2

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.50.1

v0.50.2

v0.51.0

v0.51.1

v0.51.2

v0.52.0

v0.52.1

v0.53.0

v0.53.1

v0.53.2

v0.53.3

v0.54.0

v0.54.1

v0.54.2

v0.54.3

v0.54.4

v0.55.0

v0.55.1

v0.56.0

v0.57.0

v0.57.1

v0.58.0

v0.58.1

v0.59.0

v0.6.0

v0.60.0

v0.60.1

v0.61.0

v0.62.0

v0.63.0

v0.63.1

v0.64.0

v0.64.1

v0.65.0

v0.66.0

v0.66.0-next.0

v0.66.0-next.1

v0.67.0

v0.67.0-next.0

v0.68.0

v0.69.0

v0.7.0

v0.70.0

v0.71.0

v0.71.0-next.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.0-next.0

v1.1.0-next.1

v1.1.0-next.2

v1.1.0-next.3

v1.10.0

v1.10.0-next.0

v1.10.0-next.1

v1.10.0-next.2

v1.11.0

v1.11.0-next.0

v1.11.0-next.1

v1.11.0-next.2

v1.12.0

v1.12.0-next.0

v1.12.0-next.1

v1.12.0-next.2

v1.13.0

v1.13.0-next.0

v1.13.0-next.1

v1.13.0-next.2

v1.13.0-next.3

v1.14.0

v1.14.0-next.0

v1.14.0-next.1

v1.14.0-next.2

v1.15.0

v1.15.0-next.0

v1.15.0-next.1

v1.15.0-next.2

v1.15.0-next.3

v1.16.0

v1.16.0-next.0

v1.16.0-next.1

v1.16.0-next.2

v1.17.0

v1.17.0-next.0

v1.17.0-next.1

v1.17.0-next.2

v1.18.0

v1.18.0-next.0

v1.18.0-next.1

v1.18.0-next.2

v1.18.0-next.3

v1.19.0

v1.19.0-next.0

v1.19.0-next.1

v1.19.0-next.2

v1.2.0

v1.2.0-next.0

v1.2.0-next.1

v1.2.0-next.2

v1.2.0-next.3

v1.20.0

v1.20.0-next.0

v1.20.0-next.1

v1.20.0-next.2

v1.21.0

v1.21.0-next.0

v1.21.0-next.1

v1.21.0-next.2

v1.21.0-next.3

v1.21.0-next.4

v1.22.0

v1.22.0-next.0

v1.22.0-next.1

v1.22.0-next.2

v1.23.0

v1.23.0-next.0

v1.23.0-next.1

v1.23.0-next.2

v1.23.0-next.3

v1.24.0

v1.24.0-next.0

v1.24.0-next.1

v1.24.0-next.2

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.0-next.0

v1.26.0-next.1

v1.27.0

v1.27.0-next.0

v1.27.0-next.1

v1.27.0-next.2

v1.28.0

v1.28.0-next.0

v1.28.0-next.1

v1.28.0-next.2

v1.28.0-next.3

v1.29.0

v1.29.0-next.0

v1.29.0-next.1

v1.29.0-next.2

v1.3.0

v1.3.0-next.0

v1.3.0-next.1

v1.3.0-next.2

v1.30.0

v1.30.0-next.0

v1.30.0-next.1

v1.30.0-next.2

v1.30.0-next.3

v1.30.0-next.4

v1.31.0

v1.31.0-next.0

v1.31.0-next.1

v1.31.0-next.2

v1.32.0

v1.32.0-next.0

v1.32.0-next.1

v1.32.0-next.2

v1.33.0

v1.33.0-next.0

v1.33.0-next.1

v1.33.0-next.2

v1.33.0-next.3

v1.34.0

v1.34.0-next.0

v1.34.0-next.1

v1.34.0-next.2

v1.35.0

v1.35.0-next.0

v1.35.0-next.1

v1.35.0-next.2

v1.36.0

v1.36.0-next.0

v1.36.0-next.1

v1.36.0-next.2

v1.36.0-next.3

v1.37.0

v1.37.0-next.0

v1.37.0-next.1

v1.37.0-next.2

v1.38.0

v1.38.0-next.0

v1.38.0-next.1

v1.38.0-next.2

v1.39.0

v1.39.0-next.0

v1.39.0-next.1

v1.39.0-next.2

v1.39.0-next.3

v1.4.0

v1.4.0-next.0

v1.4.0-next.1

v1.4.0-next.2

v1.4.0-next.3

v1.40.0

v1.40.0-next.0

v1.40.0-next.1

v1.40.0-next.2

v1.40.0-next.3

v1.41.0

v1.41.0-next.0

v1.41.0-next.1

v1.41.0-next.2

v1.42.0

v1.42.0-next.0

v1.42.0-next.1

v1.42.0-next.2

v1.42.0-next.3

v1.43.0

v1.43.0-next.0

v1.43.0-next.1

v1.43.0-next.2

v1.44.0

v1.44.0-next.0

v1.44.0-next.1

v1.44.0-next.2

v1.44.0-next.3

v1.45.0

v1.45.0-next.0

v1.45.0-next.1

v1.45.0-next.2

v1.45.0-next.3

v1.46.0

v1.46.0-next.0

v1.46.0-next.1

v1.46.0-next.2

v1.47.0-next.0

v1.47.0-next.1

v1.47.0-next.2

v1.47.0-next.3

v1.5.0

v1.5.0-next.0

v1.5.0-next.1

v1.5.0-next.2

v1.5.0-next.3

v1.6.0

v1.6.0-next.0

v1.6.0-next.1

v1.6.0-next.2

v1.6.0-next.3

v1.7.0

v1.7.0-next.0

v1.7.0-next.1

v1.7.0-next.2

v1.8.0

v1.8.0-next.0

v1.8.0-next.1

v1.8.0-next.2

v1.9.0

v1.9.0-next.0

v1.9.0-next.1

v1.9.0-next.2

v1.9.0-next.3

v1.9.0-next.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24047.json"