GHSA-8wq8-6859-qx77

Suggest an improvement
Source
https://github.com/advisories/GHSA-8wq8-6859-qx77
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8wq8-6859-qx77/GHSA-8wq8-6859-qx77.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8wq8-6859-qx77
Aliases
Published
2026-03-12T14:51:06Z
Modified
2026-03-14T01:46:38.662561Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Details

Impact

Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload.

Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.

### Patches

This is patched in @backstage/plugin-scaffolder-backend version 3.1.5 ### Workarounds

Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework.

### References

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:51:06Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-12T19:16:19Z"
}
References

Affected packages

npm / @backstage/plugin-scaffolder-backend

Package

Name
@backstage/plugin-scaffolder-backend
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/plugin-scaffolder-backend

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0
Fixed
3.1.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8wq8-6859-qx77/GHSA-8wq8-6859-qx77.json"