CVE-2026-44374
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks
描述
### Impact The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. ### Patches This is patched in `@backstage/plugin-catalog-backend-module-unprocessed` version 0.6.11, `@backstage/plugin-catalog-unprocessed-entities-common` version 0.0.15 and `@backstage/plugin-catalog-unprocessed-entities` version 0.2.30. Users should upgrade all packages. ### Workarounds If users cannot upgrade, they can remove the `@backstage/plugin-catalog-backend-module-unprocessed` module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.
如何修補 CVE-2026-44374
要修補 CVE-2026-44374,請將受影響套件升級到下列已修補版本。
- —升級至 0.6.11 或更新版本
- —升級至 0.2.30 或更新版本
- —升級至 0.0.15 或更新版本
CVE-2026-44374 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。