Configuration Bypass Vulnerability in Backstage Open Framework by Spotify
CVE-2026-29186

7.7HIGH

Key Information:

Vendor: Backstage
Status: Backstage
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-29186?

Backstage, an open framework designed by Spotify for constructing developer portals, exhibits a configuration bypass vulnerability that allows for arbitrary code execution. Specifically, the @backstage/plugin-techdocs-node package's allowlist mechanism fails to adequately filter certain dangerous MkDocs configuration keys used in the documentation build process. This lapse permits attackers to craft a malicious mkdocs.yml file that executes arbitrary Python code, completely circumventing the established security measures of TechDocs. The vulnerability has been addressed in version 1.14.3. For more details, visit the advisory at GitHub.

Affected Version(s)

backstage < 1.14.3

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29186 Data

JSON