CVE-2026-44374: Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Published May 6, 2026
·
Updated

Impact

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. ### Patches This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages. ### Workarounds If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.

Other sources

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

MITRE

Affected Software

6 affected componentsFixes available
npm/@backstage/plugin-catalog-backend-module-unprocessed<0.6.11
0.6.11
npm/@backstage/plugin-catalog-unprocessed-entities<0.2.30
0.2.30
npm/@backstage/plugin-catalog-unprocessed-entities-common<0.0.15
0.0.15
linuxfoundation Backstage\/plugin-catalog-backend-module-unprocessed Node.js<0.6.11
linuxfoundation Backstage\/plugin-catalog-unprocessed-entities Node.js<0.2.30
linuxfoundation Backstage\/plugin-catalog-unprocessed-entities-common Node.js<0.0.15

Event History

May 6, 2026
Advisory Published
via GitHub·11:04 PM
Data Sourced
via GitHub·11:04 PM
DescriptionSeverityWeaknessAffected Software
May 14, 2026
CVE Published
via MITRE·02:30 PM
Data Sourced
via MITRE·02:30 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-44374?

CVE-2026-44374 is classified as an information disclosure vulnerability due to unprocessed entities being accessible without proper authorization checks.

2

How do I fix CVE-2026-44374?

To fix CVE-2026-44374, update to version 0.6.11 of @backstage/plugin-catalog-backend-module-unprocessed, version 0.2.30 of @backstage/plugin-catalog-unprocessed-entities, or version 0.0.15 of @backstage/plugin-catalog-unprocessed-entities-common.

3

Who is affected by CVE-2026-44374?

Any application using the affected versions of @backstage/plugin-catalog-backend-module-unprocessed, @backstage/plugin-catalog-unprocessed-entities, or @backstage/plugin-catalog-unprocessed-entities-common is at risk.

4

What is the impact of CVE-2026-44374 on users?

Users with authentication can access unprocessed entity records regardless of their ownership, leading to potential exposure of sensitive information.

5

Are there any workarounds for CVE-2026-44374 before applying a patch?

Currently, there are no documented workarounds for CVE-2026-44374, and applying the patch is the recommended approach.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203