CVE-2026-3118 — Vulnetix

CVE-2026-3118 PUBLISHED CVSS 6.5 MEDIUM

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

EPSS 0.02% · 6.4th percentile

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.02%

6.4th percentile

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat Developer Hub
redhat	developer_hub

Exploit Intelligence

CIRCL seen: CVE-2026-3118 (circl-sighting)
https://access.redhat.com/security/cve/CVE-2026-3118 (circl)
RHBZ#2442273 (circl)

Timeline

Feb 25, 2026 EPSS Score
Feb 25, 2026 CVE Published
Feb 25, 2026 PoC Published
Feb 27, 2026 EPSS Score
Feb 28, 2026 EPSS Score
Mar 2, 2026 EPSS Score
Mar 3, 2026 EPSS Score
Mar 5, 2026 EPSS Score
Mar 6, 2026 EPSS Score
Mar 8, 2026 EPSS Score
Mar 9, 2026 EPSS Score
Mar 11, 2026 EPSS Score

References

https://access.redhat.com/security/cve/CVE-2026-3118 vdb
RHBZ#2442273 issue
https://nvd.nist.gov/vuln/detail/CVE-2026-3118 advisory

Open in Interactive Console →