CVE-2026-29185

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29185

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29185.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29185

Aliases

GHSA-95v5-prp4-5gv5

Published

2026-03-07T15:02:04.986Z

Modified

2026-04-10T05:41:38.198685Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

@backstage/integration: Potential reading of SCM URLs using built in token

Details

Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29185.json",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/backstage/backstage

Affected ranges

Type

GIT

Repo

https://github.com/backstage/backstage

Events

Introduced

Fixed

9473085f622fea246e26189e63f56b765c276488

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.20.1"
        }
    ]
}

Affected versions

Other

cli-old-cache-watch

hackweek-demo

release-2021-01-07

release-2021-01-08

release-2021-01-09

release-2021-01-14

release-2021-01-18

release-2021-01-20

release-2021-01-21

release-2021-01-28

release-2021-01-29

release-2021-02-01

release-2021-02-03

release-2021-02-05

release-2021-02-11

release-2021-02-16

release-2021-02-18

release-2021-02-23

release-2021-03-04

release-2021-03-09

release-2021-03-11

release-2021-03-16

release-2021-03-17

release-2021-03-18

release-2021-03-19

release-2021-03-25

release-2021-03-31

release-2021-04-08

release-2021-04-13

release-2021-04-15

release-2021-04-21

release-2021-04-22

release-2021-04-29

release-2021-05-04

release-2021-05-06

release-2021-05-10

release-2021-05-11

release-2021-05-12

release-2021-05-17

release-2021-05-20

release-2021-05-27

release-2021-05-31

release-2021-06-01

release-2021-06-03

release-2021-06-10

release-2021-06-17

release-2021-06-18

release-2021-06-21

release-2021-06-24

release-2021-06-28

release-2021-07-01

release-2021-07-07

release-2021-07-08

release-2021-07-14

release-2021-07-15

release-2021-07-16

release-2021-07-22

release-2021-07-29

release-2021-08-03

release-2021-08-05

release-2021-08-11

release-2021-08-12

release-2021-08-17

release-2021-08-19

release-2021-08-20

release-2021-08-26

release-2021-08-31

release-2021-09-02

release-2021-09-09

release-2021-09-14

release-2021-09-16

release-2021-09-17

release-2021-09-21

release-2021-09-23

release-2021-09-28

release-2021-09-30

release-2021-1-7

release-2021-10-04

release-2021-10-06

release-2021-10-07

release-2021-10-11

release-2021-10-13

release-2021-10-14

release-2021-10-16

release-2021-10-19

release-2021-10-21

release-2021-10-22

release-2021-10-28

release-2021-10-29

release-2021-11-08

release-2021-11-11

release-2021-11-12

release-2021-11-17

release-2021-11-18

release-2021-11-19

release-2021-11-25

release-2021-12-02

release-2021-12-07

release-2021-12-09

release-2021-12-10

release-2021-12-16

release-2021-12-23

release-2021-12-24

release-2021-12-30

release-2022-01-04

release-2022-01-13

release-2022-01-18

release-2022-01-20

release-2022-01-27

release-2021-01-14.*

release-2021-01-14.1

release-2021-01-21.*

release-2021-01-21.1

release-2021-03-11.*

release-2021-03-11.1

release-2021-03-31.*

release-2021-03-31.1

release-2021-04-22.*

release-2021-04-22.1

release-2021-05-12.*

release-2021-05-12.1

release-2021-05-20.*

release-2021-05-20.1

release-2021-06-10.*

release-2021-06-10.1

release-2021-06-17.*

release-2021-06-17.1

release-2021-06-21.*

release-2021-06-21.1

release-2021-07-14.*

release-2021-07-14.1

release-2021-10-29.*

release-2021-10-29.1

release-2021-11-11.*

release-2021-11-11.1

release-2021-11-17.*

release-2021-11-17.1

release-2022-01-20.*

release-2022-01-20.1

v0.*

v0.1.0

v0.1.1

v0.1.1-alpha.0

v0.1.1-alpha.1

v0.1.1-alpha.10

v0.1.1-alpha.11

v0.1.1-alpha.12

v0.1.1-alpha.13

v0.1.1-alpha.15

v0.1.1-alpha.16

v0.1.1-alpha.17

v0.1.1-alpha.18

v0.1.1-alpha.19

v0.1.1-alpha.2

v0.1.1-alpha.20

v0.1.1-alpha.21

v0.1.1-alpha.22

v0.1.1-alpha.23

v0.1.1-alpha.24

v0.1.1-alpha.25

v0.1.1-alpha.26

v0.1.1-alpha.3

v0.1.1-alpha.4

v0.1.1-alpha.5

v0.1.1-alpha.6

v0.1.1-alpha.7

v0.1.1-alpha.8

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.1

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.29.2

v0.3.0

v0.3.1

v0.3.2

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.33.1

v0.33.2

v0.33.3

v0.34.0

v0.34.1

v0.35.0

v0.35.1

v0.36.0

v0.36.1

v0.36.2

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.40.0

v0.40.1

v0.41.0

v0.41.1

v0.42.0

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.46.1

v0.47.0

v0.47.1

v0.47.2

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.50.1

v0.50.2

v0.51.0

v0.51.1

v0.51.2

v0.52.0

v0.52.1

v0.53.0

v0.53.1

v0.53.2

v0.53.3

v0.54.0

v0.54.1

v0.54.2

v0.54.3

v0.54.4

v0.55.0

v0.55.1

v0.56.0

v0.57.0

v0.57.1

v0.58.0

v0.58.1

v0.59.0

v0.6.0

v0.60.0

v0.60.1

v0.61.0

v0.62.0

v0.63.0

v0.63.1

v0.64.0

v0.64.1

v0.65.0

v0.66.0

v0.66.0-next.0

v0.66.0-next.1

v0.67.0

v0.67.0-next.0

v0.68.0

v0.69.0

v0.7.0

v0.70.0

v0.71.0

v0.71.0-next.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.0-next.0

v1.1.0-next.1

v1.1.0-next.2

v1.1.0-next.3

v1.10.0

v1.10.0-next.0

v1.10.0-next.1

v1.10.0-next.2

v1.11.0

v1.11.0-next.0

v1.11.0-next.1

v1.11.0-next.2

v1.12.0

v1.12.0-next.0

v1.12.0-next.1

v1.12.0-next.2

v1.13.0

v1.13.0-next.0

v1.13.0-next.1

v1.13.0-next.2

v1.13.0-next.3

v1.14.0

v1.14.0-next.0

v1.14.0-next.1

v1.14.0-next.2

v1.15.0

v1.15.0-next.0

v1.15.0-next.1

v1.15.0-next.2

v1.15.0-next.3

v1.16.0

v1.16.0-next.0

v1.16.0-next.1

v1.16.0-next.2

v1.17.0

v1.17.0-next.0

v1.17.0-next.1

v1.17.0-next.2

v1.18.0

v1.18.0-next.0

v1.18.0-next.1

v1.18.0-next.2

v1.18.0-next.3

v1.19.0

v1.19.0-next.0

v1.19.0-next.1

v1.19.0-next.2

v1.2.0

v1.2.0-next.0

v1.2.0-next.1

v1.2.0-next.2

v1.2.0-next.3

v1.20.0

v1.20.0-next.0

v1.20.0-next.1

v1.20.0-next.2

v1.3.0

v1.3.0-next.0

v1.3.0-next.1

v1.3.0-next.2

v1.4.0

v1.4.0-next.0

v1.4.0-next.1

v1.4.0-next.2

v1.4.0-next.3

v1.5.0

v1.5.0-next.0

v1.5.0-next.1

v1.5.0-next.2

v1.5.0-next.3

v1.6.0

v1.6.0-next.0

v1.6.0-next.1

v1.6.0-next.2

v1.6.0-next.3

v1.7.0

v1.7.0-next.0

v1.7.0-next.1

v1.7.0-next.2

v1.8.0

v1.8.0-next.0

v1.8.0-next.1

v1.8.0-next.2

v1.9.0

v1.9.0-next.0

v1.9.0-next.1

v1.9.0-next.2

v1.9.0-next.3

v1.9.0-next.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29185.json"