Path Traversal Vulnerability in Backstage Framework by Spotify
CVE-2026-29185

2.7LOW

Key Information:

Vendor: Backstage
Status: Backstage
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-29185?

Prior to version 1.20.1 of Backstage, a security flaw existed in the URL parsing for SCM integrations. Attackers could exploit this vulnerability through encoded path traversal sequences, which would be incorporated into file paths during processing. This could lead to unintended redirects of API requests to malicious endpoints, leveraging the server-side integration credentials. The issue was resolved in version 1.20.1, addressing the risks associated with the exploitation of this vulnerability.

Affected Version(s)

backstage < 1.20.1

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29185 Data

JSON