Information Disclosure Vulnerability in Backstage by Spotify
CVE-2026-44374

4.3MEDIUM

Key Information:

Vendor: @backstage
Status: Plugin-catalog-backend-module-unprocessed; Plugin-catalog-unprocessed-entities; Plugin-catalog-unprocessed-entities-common
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44374?

Backstage, a developer portal framework by Spotify, contains a vulnerability due to inadequate permission checks in the unprocessed entities read endpoints of the plugin @backstage/plugin-catalog-backend-module-unprocessed. This allows any authenticated user to access unprocessed entity records without proper ownership verification, leading to potential data exposure. The issue has been rectified in versions 0.6.11 for @backstage/plugin-catalog-backend-module-unprocessed, 0.0.15 for @backstage/plugin-catalog-unprocessed-entities-common, and 0.2.30 for @backstage/plugin-catalog-unprocessed-entities.

Affected Version(s)

plugin-catalog-backend-module-unprocessed < 0.6.11

plugin-catalog-unprocessed-entities < 0.2.30

plugin-catalog-unprocessed-entities-common < 0.0.15

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44374 Data

JSON