Arbitrary Code Execution Vulnerability in Backstage TechDocs Plugin
CVE-2026-25153

7.7HIGH

Key Information:

Vendor: Backstage
Status: Backstage
Vendor: CVE Published:; 30 January 2026

What is CVE-2026-25153?

@backstage/plugin-techdocs-node, which provides essential functionalities for TechDocs, is susceptible to a serious issue where a malicious actor can execute arbitrary Python code on the TechDocs build server. This vulnerability arises when TechDocs is set to runIn: local, allowing unauthorized modifications to the mkdocs.yml file. In the affected versions prior to 1.13.11 and 1.14.1, improper handling of MkDocs hooks configuration could lead to exploitation. The subsequent updates have implemented an allowlist to filter supported configuration keys, significantly reducing the attack surface. Users are advised to upgrade to the latest versions and consider alternative configurations, such as utilizing runIn: docker for enhanced security. Furthermore, restricting access to mkdocs.yml file modifications and enforcing careful review processes can mitigate associated risks.

Affected Version(s)

backstage < 1.13.11 < 1.13.11

backstage = 1.14.0 = 1.14.0

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2026
Vulnerability Reserved
Jan 29, 2026

CVE-2026-25153 Data

JSON