CVE-2026-24048

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24048

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24048.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24048

Aliases

GHSA-q2x5-4xjx-c6p9

Published

2026-01-21T22:51:44.015Z

Modified

2026-03-14T12:51:42.083513Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`

Details

Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24048.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/backstage/backstage

Affected ranges

Type: GIT
Repo: https://github.com/backstage/backstage
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

27f9061d24affd1b9212fe0abd476bfc3fbaedcb

Affected versions

Other

cli-old-cache-watch

hackweek-demo

release-2021-01-07

release-2021-01-08

release-2021-01-09

release-2021-01-14

release-2021-01-18

release-2021-01-20

release-2021-01-21

release-2021-01-28

release-2021-01-29

release-2021-02-01

release-2021-02-03

release-2021-02-05

release-2021-02-11

release-2021-02-16

release-2021-02-18

release-2021-02-23

release-2021-03-04

release-2021-03-09

release-2021-03-11

release-2021-03-16

release-2021-03-17

release-2021-03-18

release-2021-03-19

release-2021-03-25

release-2021-03-31

release-2021-04-08

release-2021-04-13

release-2021-04-15

release-2021-04-21

release-2021-04-22

release-2021-04-29

release-2021-05-04

release-2021-05-06

release-2021-05-10

release-2021-05-11

release-2021-05-12

release-2021-05-17

release-2021-05-20

release-2021-05-27

release-2021-05-31

release-2021-06-01

release-2021-06-03

release-2021-06-10

release-2021-06-17

release-2021-06-18

release-2021-06-21

release-2021-06-24

release-2021-06-28

release-2021-07-01

release-2021-07-07

release-2021-07-08

release-2021-07-14

release-2021-07-15

release-2021-07-16

release-2021-07-22

release-2021-07-29

release-2021-08-03

release-2021-08-05

release-2021-08-11

release-2021-08-12

release-2021-08-17

release-2021-08-19

release-2021-08-20

release-2021-08-26

release-2021-08-31

release-2021-09-02

release-2021-09-09

release-2021-09-14

release-2021-09-16

release-2021-09-17

release-2021-09-21

release-2021-09-23

release-2021-09-28

release-2021-09-30

release-2021-1-7

release-2021-10-04

release-2021-10-06

release-2021-10-07

release-2021-10-11

release-2021-10-13

release-2021-10-14

release-2021-10-16

release-2021-10-19

release-2021-10-21

release-2021-10-22

release-2021-10-28

release-2021-10-29

release-2021-11-08

release-2021-11-11

release-2021-11-12

release-2021-11-17

release-2021-11-18

release-2021-11-19

release-2021-11-25

release-2021-12-02

release-2021-12-07

release-2021-12-09

release-2021-12-10

release-2021-12-16

release-2021-12-23

release-2021-12-24

release-2021-12-30

release-2022-01-04

release-2022-01-13

release-2022-01-18

release-2022-01-20

release-2022-01-27

release-2021-01-14.*

release-2021-01-14.1

release-2021-01-21.*

release-2021-01-21.1

release-2021-03-11.*

release-2021-03-11.1

release-2021-03-31.*

release-2021-03-31.1

release-2021-04-22.*

release-2021-04-22.1

release-2021-05-12.*

release-2021-05-12.1

release-2021-05-20.*

release-2021-05-20.1

release-2021-06-10.*

release-2021-06-10.1

release-2021-06-17.*

release-2021-06-17.1

release-2021-06-21.*

release-2021-06-21.1

release-2021-07-14.*

release-2021-07-14.1

release-2021-10-29.*

release-2021-10-29.1

release-2021-11-11.*

release-2021-11-11.1

release-2021-11-17.*

release-2021-11-17.1

release-2022-01-20.*

release-2022-01-20.1

v0.*

v0.1.0

v0.1.1

v0.1.1-alpha.0

v0.1.1-alpha.1

v0.1.1-alpha.10

v0.1.1-alpha.11

v0.1.1-alpha.12

v0.1.1-alpha.13

v0.1.1-alpha.15

v0.1.1-alpha.16

v0.1.1-alpha.17

v0.1.1-alpha.18

v0.1.1-alpha.19

v0.1.1-alpha.2

v0.1.1-alpha.20

v0.1.1-alpha.21

v0.1.1-alpha.22

v0.1.1-alpha.23

v0.1.1-alpha.24

v0.1.1-alpha.25

v0.1.1-alpha.26

v0.1.1-alpha.3

v0.1.1-alpha.4

v0.1.1-alpha.5

v0.1.1-alpha.6

v0.1.1-alpha.7

v0.1.1-alpha.8

v0.1.1-alpha.9

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.1

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.29.2

v0.3.0

v0.3.1

v0.3.2

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.33.1

v0.33.2

v0.33.3

v0.34.0

v0.34.1

v0.35.0

v0.35.1

v0.36.0

v0.36.1

v0.36.2

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.40.0

v0.40.1

v0.41.0

v0.41.1

v0.42.0

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.46.1

v0.47.0

v0.47.1

v0.47.2

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.50.1

v0.50.2

v0.51.0

v0.51.1

v0.51.2

v0.52.0

v0.52.1

v0.53.0

v0.53.1

v0.53.2

v0.53.3

v0.54.0

v0.54.1

v0.54.2

v0.54.3

v0.54.4

v0.55.0

v0.55.1

v0.56.0

v0.57.0

v0.57.1

v0.58.0

v0.58.1

v0.59.0

v0.6.0

v0.60.0

v0.60.1

v0.61.0

v0.62.0

v0.63.0

v0.63.1

v0.64.0

v0.64.1

v0.65.0

v0.66.0

v0.66.0-next.0

v0.66.0-next.1

v0.67.0

v0.67.0-next.0

v0.68.0

v0.69.0

v0.7.0

v0.70.0

v0.71.0

v0.71.0-next.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.0-next.0

v1.1.0-next.1

v1.1.0-next.2

v1.1.0-next.3

v1.10.0

v1.10.0-next.0

v1.10.0-next.1

v1.10.0-next.2

v1.11.0

v1.11.0-next.0

v1.11.0-next.1

v1.11.0-next.2

v1.12.0

v1.12.0-next.0

v1.12.0-next.1

v1.12.0-next.2

v1.13.0

v1.13.0-next.0

v1.13.0-next.1

v1.13.0-next.2

v1.13.0-next.3

v1.14.0

v1.14.0-next.0

v1.14.0-next.1

v1.14.0-next.2

v1.15.0

v1.15.0-next.0

v1.15.0-next.1

v1.15.0-next.2

v1.15.0-next.3

v1.16.0

v1.16.0-next.0

v1.16.0-next.1

v1.16.0-next.2

v1.17.0

v1.17.0-next.0

v1.17.0-next.1

v1.17.0-next.2

v1.18.0

v1.18.0-next.0

v1.18.0-next.1

v1.18.0-next.2

v1.18.0-next.3

v1.19.0

v1.19.0-next.0

v1.19.0-next.1

v1.19.0-next.2

v1.2.0

v1.2.0-next.0

v1.2.0-next.1

v1.2.0-next.2

v1.2.0-next.3

v1.20.0

v1.20.0-next.0

v1.20.0-next.1

v1.20.0-next.2

v1.21.0

v1.21.0-next.0

v1.21.0-next.1

v1.21.0-next.2

v1.21.0-next.3

v1.21.0-next.4

v1.22.0

v1.22.0-next.0

v1.22.0-next.1

v1.22.0-next.2

v1.23.0

v1.23.0-next.0

v1.23.0-next.1

v1.23.0-next.2

v1.23.0-next.3

v1.24.0

v1.24.0-next.0

v1.24.0-next.1

v1.24.0-next.2

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.0-next.0

v1.26.0-next.1

v1.27.0

v1.27.0-next.0

v1.27.0-next.1

v1.27.0-next.2

v1.28.0

v1.28.0-next.0

v1.28.0-next.1

v1.28.0-next.2

v1.28.0-next.3

v1.29.0

v1.29.0-next.0

v1.29.0-next.1

v1.29.0-next.2

v1.3.0

v1.3.0-next.0

v1.3.0-next.1

v1.3.0-next.2

v1.30.0

v1.30.0-next.0

v1.30.0-next.1

v1.30.0-next.2

v1.30.0-next.3

v1.30.0-next.4

v1.31.0

v1.31.0-next.0

v1.31.0-next.1

v1.31.0-next.2

v1.32.0

v1.32.0-next.0

v1.32.0-next.1

v1.32.0-next.2

v1.33.0

v1.33.0-next.0

v1.33.0-next.1

v1.33.0-next.2

v1.33.0-next.3

v1.34.0

v1.34.0-next.0

v1.34.0-next.1

v1.34.0-next.2

v1.35.0

v1.35.0-next.0

v1.35.0-next.1

v1.35.0-next.2

v1.36.0

v1.36.0-next.0

v1.36.0-next.1

v1.36.0-next.2

v1.36.0-next.3

v1.37.0

v1.37.0-next.0

v1.37.0-next.1

v1.37.0-next.2

v1.38.0

v1.38.0-next.0

v1.38.0-next.1

v1.38.0-next.2

v1.39.0

v1.39.0-next.0

v1.39.0-next.1

v1.39.0-next.2

v1.39.0-next.3

v1.4.0

v1.4.0-next.0

v1.4.0-next.1

v1.4.0-next.2

v1.4.0-next.3

v1.40.0

v1.40.0-next.0

v1.40.0-next.1

v1.40.0-next.2

v1.40.0-next.3

v1.41.0

v1.41.0-next.0

v1.41.0-next.1

v1.41.0-next.2

v1.42.0

v1.42.0-next.0

v1.42.0-next.1

v1.42.0-next.2

v1.42.0-next.3

v1.43.0

v1.43.0-next.0

v1.43.0-next.1

v1.43.0-next.2

v1.44.0

v1.44.0-next.0

v1.44.0-next.1

v1.44.0-next.2

v1.44.0-next.3

v1.45.0

v1.45.0-next.0

v1.45.0-next.1

v1.45.0-next.2

v1.45.0-next.3

v1.46.0

v1.46.0-next.0

v1.46.0-next.1

v1.46.0-next.2

v1.47.0-next.0

v1.47.0-next.1

v1.47.0-next.2

v1.47.0-next.3

v1.5.0

v1.5.0-next.0

v1.5.0-next.1

v1.5.0-next.2

v1.5.0-next.3

v1.6.0

v1.6.0-next.0

v1.6.0-next.1

v1.6.0-next.2

v1.6.0-next.3

v1.7.0

v1.7.0-next.0

v1.7.0-next.1

v1.7.0-next.2

v1.8.0

v1.8.0-next.0

v1.8.0-next.1

v1.8.0-next.2

v1.9.0

v1.9.0-next.0

v1.9.0-next.1

v1.9.0-next.2

v1.9.0-next.3

v1.9.0-next.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24048.json"