CVE-2026-32237

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32237

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32237.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32237

Aliases

GHSA-8wq8-6859-qx77

Published

2026-03-12T18:38:57.156Z

Modified

2026-04-10T05:42:20.089657Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Details

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32237.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/backstage/backstage

Affected ranges

Type: GIT
Repo: https://github.com/backstage/backstage
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce

Affected versions

Other

cli-old-cache-watch

hackweek-demo

release-2021-01-07

release-2021-01-08

release-2021-01-09

release-2021-01-14

release-2021-01-18

release-2021-01-20

release-2021-01-21

release-2021-01-28

release-2021-01-29

release-2021-02-01

release-2021-02-03

release-2021-02-05

release-2021-02-11

release-2021-02-16

release-2021-02-18

release-2021-02-23

release-2021-03-04

release-2021-03-09

release-2021-03-11

release-2021-03-16

release-2021-03-17

release-2021-03-18

release-2021-03-19

release-2021-03-25

release-2021-03-31

release-2021-04-08

release-2021-04-13

release-2021-04-15

release-2021-04-21

release-2021-04-22

release-2021-04-29

release-2021-05-04

release-2021-05-06

release-2021-05-10

release-2021-05-11

release-2021-05-12

release-2021-05-17

release-2021-05-20

release-2021-05-27

release-2021-05-31

release-2021-06-01

release-2021-06-03

release-2021-06-10

release-2021-06-17

release-2021-06-18

release-2021-06-21

release-2021-06-24

release-2021-06-28

release-2021-07-01

release-2021-07-07

release-2021-07-08

release-2021-07-14

release-2021-07-15

release-2021-07-16

release-2021-07-22

release-2021-07-29

release-2021-08-03

release-2021-08-05

release-2021-08-11

release-2021-08-12

release-2021-08-17

release-2021-08-19

release-2021-08-20

release-2021-08-26

release-2021-08-31

release-2021-09-02

release-2021-09-09

release-2021-09-14

release-2021-09-16

release-2021-09-17

release-2021-09-21

release-2021-09-23

release-2021-09-28

release-2021-09-30

release-2021-1-7

release-2021-10-04

release-2021-10-06

release-2021-10-07

release-2021-10-11

release-2021-10-13

release-2021-10-14

release-2021-10-16

release-2021-10-19

release-2021-10-21

release-2021-10-22

release-2021-10-28

release-2021-10-29

release-2021-11-08

release-2021-11-11

release-2021-11-12

release-2021-11-17

release-2021-11-18

release-2021-11-19

release-2021-11-25

release-2021-12-02

release-2021-12-07

release-2021-12-09

release-2021-12-10

release-2021-12-16

release-2021-12-23

release-2021-12-24

release-2021-12-30

release-2022-01-04

release-2022-01-13

release-2022-01-18

release-2022-01-20

release-2022-01-27

release-2021-01-14.*

release-2021-01-14.1

release-2021-01-21.*

release-2021-01-21.1

release-2021-03-11.*

release-2021-03-11.1

release-2021-03-31.*

release-2021-03-31.1

release-2021-04-22.*

release-2021-04-22.1

release-2021-05-12.*

release-2021-05-12.1

release-2021-05-20.*

release-2021-05-20.1

release-2021-06-10.*

release-2021-06-10.1

release-2021-06-17.*

release-2021-06-17.1

release-2021-06-21.*

release-2021-06-21.1

release-2021-07-14.*

release-2021-07-14.1

release-2021-10-29.*

release-2021-10-29.1

release-2021-11-11.*

release-2021-11-11.1

release-2021-11-17.*

release-2021-11-17.1

release-2022-01-20.*

release-2022-01-20.1

v0.*

v0.1.0

v0.1.1

v0.1.1-alpha.0

v0.1.1-alpha.1

v0.1.1-alpha.10

v0.1.1-alpha.11

v0.1.1-alpha.12

v0.1.1-alpha.13

v0.1.1-alpha.15

v0.1.1-alpha.16

v0.1.1-alpha.17

v0.1.1-alpha.18

v0.1.1-alpha.19

v0.1.1-alpha.2

v0.1.1-alpha.20

v0.1.1-alpha.21

v0.1.1-alpha.22

v0.1.1-alpha.23

v0.1.1-alpha.24

v0.1.1-alpha.25

v0.1.1-alpha.26

v0.1.1-alpha.3

v0.1.1-alpha.4

v0.1.1-alpha.5

v0.1.1-alpha.6

v0.1.1-alpha.7

v0.1.1-alpha.8

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.1

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.29.2

v0.3.0

v0.3.1

v0.3.2

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.33.1

v0.33.2

v0.33.3

v0.34.0

v0.34.1

v0.35.0

v0.35.1

v0.36.0

v0.36.1

v0.36.2

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.40.0

v0.40.1

v0.41.0

v0.41.1

v0.42.0

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.46.1

v0.47.0

v0.47.1

v0.47.2

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.50.1

v0.50.2

v0.51.0

v0.51.1

v0.51.2

v0.52.0

v0.52.1

v0.53.0

v0.53.1

v0.53.2

v0.53.3

v0.54.0

v0.54.1

v0.54.2

v0.54.3

v0.54.4

v0.55.0

v0.55.1

v0.56.0

v0.57.0

v0.57.1

v0.58.0

v0.58.1

v0.59.0

v0.6.0

v0.60.0

v0.60.1

v0.61.0

v0.62.0

v0.63.0

v0.63.1

v0.64.0

v0.64.1

v0.65.0

v0.66.0

v0.66.0-next.0

v0.66.0-next.1

v0.67.0

v0.67.0-next.0

v0.68.0

v0.69.0

v0.7.0

v0.70.0

v0.71.0

v0.71.0-next.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.0-next.0

v1.1.0-next.1

v1.1.0-next.2

v1.1.0-next.3

v1.10.0

v1.10.0-next.0

v1.10.0-next.1

v1.10.0-next.2

v1.11.0

v1.11.0-next.0

v1.11.0-next.1

v1.11.0-next.2

v1.12.0

v1.12.0-next.0

v1.12.0-next.1

v1.12.0-next.2

v1.13.0

v1.13.0-next.0

v1.13.0-next.1

v1.13.0-next.2

v1.13.0-next.3

v1.14.0

v1.14.0-next.0

v1.14.0-next.1

v1.14.0-next.2

v1.15.0

v1.15.0-next.0

v1.15.0-next.1

v1.15.0-next.2

v1.15.0-next.3

v1.16.0

v1.16.0-next.0

v1.16.0-next.1

v1.16.0-next.2

v1.17.0

v1.17.0-next.0

v1.17.0-next.1

v1.17.0-next.2

v1.18.0

v1.18.0-next.0

v1.18.0-next.1

v1.18.0-next.2

v1.18.0-next.3

v1.19.0

v1.19.0-next.0

v1.19.0-next.1

v1.19.0-next.2

v1.2.0

v1.2.0-next.0

v1.2.0-next.1

v1.2.0-next.2

v1.2.0-next.3

v1.20.0

v1.20.0-next.0

v1.20.0-next.1

v1.20.0-next.2

v1.21.0

v1.21.0-next.0

v1.21.0-next.1

v1.21.0-next.2

v1.21.0-next.3

v1.21.0-next.4

v1.22.0

v1.22.0-next.0

v1.22.0-next.1

v1.22.0-next.2

v1.23.0

v1.23.0-next.0

v1.23.0-next.1

v1.23.0-next.2

v1.23.0-next.3

v1.24.0

v1.24.0-next.0

v1.24.0-next.1

v1.24.0-next.2

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.0-next.0

v1.26.0-next.1

v1.27.0

v1.27.0-next.0

v1.27.0-next.1

v1.27.0-next.2

v1.28.0

v1.28.0-next.0

v1.28.0-next.1

v1.28.0-next.2

v1.28.0-next.3

v1.29.0

v1.29.0-next.0

v1.29.0-next.1

v1.29.0-next.2

v1.3.0

v1.3.0-next.0

v1.3.0-next.1

v1.3.0-next.2

v1.30.0

v1.30.0-next.0

v1.30.0-next.1

v1.30.0-next.2

v1.30.0-next.3

v1.30.0-next.4

v1.31.0

v1.31.0-next.0

v1.31.0-next.1

v1.31.0-next.2

v1.32.0

v1.32.0-next.0

v1.32.0-next.1

v1.32.0-next.2

v1.33.0

v1.33.0-next.0

v1.33.0-next.1

v1.33.0-next.2

v1.33.0-next.3

v1.34.0

v1.34.0-next.0

v1.34.0-next.1

v1.34.0-next.2

v1.35.0

v1.35.0-next.0

v1.35.0-next.1

v1.35.0-next.2

v1.36.0

v1.36.0-next.0

v1.36.0-next.1

v1.36.0-next.2

v1.36.0-next.3

v1.37.0

v1.37.0-next.0

v1.37.0-next.1

v1.37.0-next.2

v1.38.0

v1.38.0-next.0

v1.38.0-next.1

v1.38.0-next.2

v1.39.0

v1.39.0-next.0

v1.39.0-next.1

v1.39.0-next.2

v1.39.0-next.3

v1.4.0

v1.4.0-next.0

v1.4.0-next.1

v1.4.0-next.2

v1.4.0-next.3

v1.40.0

v1.40.0-next.0

v1.40.0-next.1

v1.40.0-next.2

v1.40.0-next.3

v1.41.0

v1.41.0-next.0

v1.41.0-next.1

v1.41.0-next.2

v1.42.0

v1.42.0-next.0

v1.42.0-next.1

v1.42.0-next.2

v1.42.0-next.3

v1.43.0

v1.43.0-next.0

v1.43.0-next.1

v1.43.0-next.2

v1.44.0

v1.44.0-next.0

v1.44.0-next.1

v1.44.0-next.2

v1.44.0-next.3

v1.45.0

v1.45.0-next.0

v1.45.0-next.1

v1.45.0-next.2

v1.45.0-next.3

v1.46.0

v1.46.0-next.0

v1.46.0-next.1

v1.46.0-next.2

v1.47.0

v1.47.0-next.0

v1.47.0-next.1

v1.47.0-next.2

v1.47.0-next.3

v1.48.0

v1.48.0-next.0

v1.48.0-next.1

v1.48.0-next.2

v1.48.1

v1.48.2

v1.48.3

v1.48.4

v1.5.0

v1.5.0-next.0

v1.5.0-next.1

v1.5.0-next.2

v1.5.0-next.3

v1.6.0

v1.6.0-next.0

v1.6.0-next.1

v1.6.0-next.2

v1.6.0-next.3

v1.7.0

v1.7.0-next.0

v1.7.0-next.1

v1.7.0-next.2

v1.8.0

v1.8.0-next.0

v1.8.0-next.1

v1.8.0-next.2

v1.9.0

v1.9.0-next.0

v1.9.0-next.1

v1.9.0-next.2

v1.9.0-next.3

v1.9.0-next.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32237.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "3.1.0"
            },
            {
                "fixed": "3.1.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "the"
            }
        ]
    }
]