GHSA-928r-fm4v-mvrw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-928r-fm4v-mvrw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-928r-fm4v-mvrw/GHSA-928r-fm4v-mvrw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-928r-fm4v-mvrw
- Aliases
-
- CVE-2026-29186
- Published
- 2026-03-05T00:12:07Z
- Modified
- 2026-03-09T16:02:26.288095Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
- Details
-
Impact
This is a configuration bypass vulnerability that enables arbitrary code execution. The
@backstage/plugin-techdocs-nodepackage uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process.A gap in this allowlist allows attackers to craft an
mkdocs.ymlthat causes arbitrary Python code execution, completely bypassing TechDocs' security controls.Patches
Patched in
@backstage/plugin-techdocs-nodeversion 1.14.3Workarounds
If users cannot upgrade immediately:
- Use Docker mode with restricted access: Configure TechDocs with
runIn: dockerinstead ofrunIn: local. This provides container isolation, though it does not fully mitigate the risk. - Restrict repository access: Limit who can modify
mkdocs.ymlfiles in repositories that TechDocs processes. Only allow trusted contributors. - Manual review: Implement PR review requirements for changes to
mkdocs.ymlfiles to detect malicious hooks configurations before they are merged. - Downgrade MkDocs: Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features.
Note: Building documentation in CI/CD pipelines using
@techdocs/clidoes not mitigate this vulnerability, as the CLI uses the same vulnerable@backstage/plugin-techdocs-nodepackage.Resources
MkDocs Hooks Documentation MkDocs 1.4 Release Notes TechDocs Architecture
- Use Docker mode with restricted access: Configure TechDocs with
- Database specific
{ "cwe_ids": [ "CWE-434", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2026-03-05T00:12:07Z", "nvd_published_at": "2026-03-07T15:15:55Z", "severity": "HIGH" }- References
-
- https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw
- https://nvd.nist.gov/vuln/detail/CVE-2026-29186
- https://backstage.io/docs/features/techdocs/architecture
- https://github.com/backstage/backstage
- https://www.mkdocs.org/about/release-notes/#version-14-2022-09-27
- https://www.mkdocs.org/user-guide/configuration/#hooks
Affected packages
npm / @backstage/plugin-techdocs-node
Package
- Name
- @backstage/plugin-techdocs-node
- View open source insights on deps.dev
- Purl
- pkg:npm/%40backstage/plugin-techdocs-node