Environment Secrets Exposure in Backstage by Spotify
CVE-2026-32237

4.4MEDIUM

Key Information:

Vendor: @backstage
Status: Plugin-scaffolder-backend
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-32237?

Backstage is an open-source framework designed for building developer portals. A vulnerability exists in versions prior to 3.1.5, where authenticated users who have permissions for executing scaffolding dry-runs can unintentionally access secret environment variables through the API response. Although logs effectively redact these secrets, some response payloads may still leak sensitive information if deployments have configured 'scaffolder.defaultEnvironment.secrets.' This issue has been addressed in version 3.1.5 of the @backstage/plugin-scaffolder-backend.

Affected Version(s)

plugin-scaffolder-backend < 3.1.5

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

https://github.com/backstage/backstage/commit/3b62dd2d6bf...

x_refsource_MISC

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32237 Data

JSON