Vulnerability Details CVE-2026-24048
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.8%
CVSS Severity
CVSS v3 Score 3.5
References
Products affected by CVE-2026-24048
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.10
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.11
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.12
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.13
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.3
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.4
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.5
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.7
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.8
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.1.9
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.10.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.10.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.11.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.11.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.11.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.12.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.12.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.13.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.13.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.13.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.14.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.14.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.10
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.13
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.14
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.15
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.16
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.17
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.18
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.19
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.3
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.5
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.6
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.7
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.8
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.2.9
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.3.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.3.3
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.3.4
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.4.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.4.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.5.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.5.1
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.5.3
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.6.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.7.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.8.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.8.2
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.9.0
-
cpe:2.3:a:linuxfoundation:backstage/backend_defaults:0.9.1