VDB
CVE-2026-29186
CVE-2026-29186
PUBLISHED
CVSS 7.699999809265137 HIGH
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
EPSS 0.04% · 11.7th percentile
Risk Scores
CVSS v3.1
7.699999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score
0.04%
11.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| backstage | plugin-techdocs-node | 0, 0, 0 |
| linuxfoundation | backstage_plugin-techdocs-node | 0, 0, 0 |
| backstage | backstage | *, *, * |
Timeline
- Mar 5, 2026 CVE Published
- Mar 7, 2026 PoC Published
- Mar 8, 2026 EPSS Score
- Mar 9, 2026 CVE Updated
- Mar 9, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 10, 2026 Security Advisory
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
References
- https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw url
- https://nvd.nist.gov/vuln/detail/CVE-2026-29186 advisory
- https://backstage.io/docs/features/techdocs/architecture url
- https://github.com/backstage/backstage package
- https://www.mkdocs.org/about/release-notes/#version-14-2022-09-27 url
- https://www.mkdocs.org/user-guide/configuration/#hooks url