{"id":"CVE-2026-32237","summary":"@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint","details":"Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.","aliases":["GHSA-8wq8-6859-qx77"],"modified":"2026-04-10T05:42:20.089657Z","published":"2026-03-12T18:38:57.156Z","database_specific":{"cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32237.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32237.json"},{"type":"ADVISORY","url":"https://github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32237"},{"type":"FIX","url":"https://github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"fixed":"3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfce"}]}],"versions":["cli-old-cache-watch","hackweek-demo","release-2021-01-07","release-2021-01-08","release-2021-01-09","release-2021-01-14","release-2021-01-14.1","release-2021-01-18","release-2021-01-20","release-2021-01-21","release-2021-01-21.1","release-2021-01-28","release-2021-01-29","release-2021-02-01","release-2021-02-03","release-2021-02-05","release-2021-02-11","release-2021-02-16","release-2021-02-18","release-2021-02-23","release-2021-03-04","release-2021-03-09","release-2021-03-11","release-2021-03-11.1","release-2021-03-16","release-2021-03-17","release-2021-03-18","release-2021-03-19","release-2021-03-25","release-2021-03-31","release-2021-03-31.1","release-2021-04-08","release-2021-04-13","release-2021-04-15","release-2021-04-21","release-2021-04-22","release-2021-04-22.1","release-2021-04-29","release-2021-05-04","release-2021-05-06","release-2021-05-10","release-2021-05-11","release-2021-05-12","release-2021-05-12.1","release-2021-05-17","release-2021-05-20","release-2021-05-20.1","release-2021-05-27","release-2021-05-31","release-2021-06-01","release-2021-06-03","release-2021-06-10","release-2021-06-10.1","release-2021-06-17","release-2021-06-17.1","release-2021-06-18","release-2021-06-21","release-2021-06-21.1","release-2021-06-24","release-2021-06-28","release-2021-07-01","release-2021-07-07","release-2021-07-08","release-2021-07-14","release-2021-07-14.1","release-2021-07-15","release-2021-07-16","release-2021-07-22","release-2021-07-29","release-2021-08-03","release-2021-08-05","release-2021-08-11","release-2021-08-12","release-2021-08-17","release-2021-08-19","release-2021-08-20","release-2021-08-26","release-2021-08-31","release-2021-09-02","release-2021-09-09","release-2021-09-14","release-2021-09-16","release-2021-09-17","release-2021-09-21","release-2021-09-23","release-2021-09-28","release-2021-09-30","release-2021-1-7","release-2021-10-04","release-2021-10-06","release-2021-10-07","release-2021-10-11","release-2021-10-13","release-2021-10-14","release-2021-10-16","release-2021-10-19","release-2021-10-21","release-2021-10-22","release-2021-10-28","release-2021-10-29","release-2021-10-29.1","release-2021-11-08","release-2021-11-11","release-2021-11-11.1","release-2021-11-12","release-2021-11-17","release-2021-11-17.1","release-2021-11-18","release-2021-11-19","release-2021-11-25","release-2021-12-02","release-2021-12-07","release-2021-12-09","release-2021-12-10","release-2021-12-16","release-2021-12-23","release-2021-12-24","release-2021-12-30","release-2022-01-04","release-2022-01-13","release-2022-01-18","release-2022-01-20","release-2022-01-20.1","release-2022-01-27","v0.1.0","v0.1.1","v0.1.1-alpha.0","v0.1.1-alpha.1","v0.1.1-alpha.10","v0.1.1-alpha.11","v0.1.1-alpha.12","v0.1.1-alpha.13","v0.1.1-alpha.15","v0.1.1-alpha.16","v0.1.1-alpha.17","v0.1.1-alpha.18","v0.1.1-alpha.19","v0.1.1-alpha.2","v0.1.1-alpha.20","v0.1.1-alpha.21","v0.1.1-alpha.22","v0.1.1-alpha.23","v0.1.1-alpha.24","v0.1.1-alpha.25","v0.1.1-alpha.26","v0.1.1-alpha.3","v0.1.1-alpha.4","v0.1.1-alpha.5","v0.1.1-alpha.6","v0.1.1-alpha.7","v0.1.1-alpha.8","v0.10.0","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.13.0","v0.13.1","v0.14.0","v0.15.0","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.18.0","v0.18.1","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.22.0","v0.22.1","v0.22.2","v0.23.0","v0.24.0","v0.24.1","v0.25.0","v0.25.1","v0.25.2","v0.25.3","v0.26.0","v0.26.1","v0.27.0","v0.28.0","v0.29.0","v0.29.1","v0.29.2","v0.3.0","v0.3.1","v0.3.2","v0.30.0","v0.30.1","v0.31.0","v0.32.0","v0.33.0","v0.33.1","v0.33.2","v0.33.3","v0.34.0","v0.34.1","v0.35.0","v0.35.1","v0.36.0","v0.36.1","v0.36.2","v0.37.0","v0.37.1","v0.38.0","v0.39.0","v0.39.1","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.40.0","v0.40.1","v0.41.0","v0.41.1","v0.42.0","v0.43.0","v0.44.0","v0.44.1","v0.45.0","v0.46.0","v0.46.1","v0.47.0","v0.47.1","v0.47.2","v0.48.0","v0.48.1","v0.49.0","v0.5.0","v0.50.0","v0.50.1","v0.50.2","v0.51.0","v0.51.1","v0.51.2","v0.52.0","v0.52.1","v0.53.0","v0.53.1","v0.53.2","v0.53.3","v0.54.0","v0.54.1","v0.54.2","v0.54.3","v0.54.4","v0.55.0","v0.55.1","v0.56.0","v0.57.0","v0.57.1","v0.58.0","v0.58.1","v0.59.0","v0.6.0","v0.60.0","v0.60.1","v0.61.0","v0.62.0","v0.63.0","v0.63.1","v0.64.0","v0.64.1","v0.65.0","v0.66.0","v0.66.0-next.0","v0.66.0-next.1","v0.67.0","v0.67.0-next.0","v0.68.0","v0.69.0","v0.7.0","v0.70.0","v0.71.0","v0.71.0-next.0","v0.8.0","v0.8.1","v0.8.2","v0.9.0","v1.0.0","v1.1.0","v1.1.0-next.0","v1.1.0-next.1","v1.1.0-next.2","v1.1.0-next.3","v1.10.0","v1.10.0-next.0","v1.10.0-next.1","v1.10.0-next.2","v1.11.0","v1.11.0-next.0","v1.11.0-next.1","v1.11.0-next.2","v1.12.0","v1.12.0-next.0","v1.12.0-next.1","v1.12.0-next.2","v1.13.0","v1.13.0-next.0","v1.13.0-next.1","v1.13.0-next.2","v1.13.0-next.3","v1.14.0","v1.14.0-next.0","v1.14.0-next.1","v1.14.0-next.2","v1.15.0","v1.15.0-next.0","v1.15.0-next.1","v1.15.0-next.2","v1.15.0-next.3","v1.16.0","v1.16.0-next.0","v1.16.0-next.1","v1.16.0-next.2","v1.17.0","v1.17.0-next.0","v1.17.0-next.1","v1.17.0-next.2","v1.18.0","v1.18.0-next.0","v1.18.0-next.1","v1.18.0-next.2","v1.18.0-next.3","v1.19.0","v1.19.0-next.0","v1.19.0-next.1","v1.19.0-next.2","v1.2.0","v1.2.0-next.0","v1.2.0-next.1","v1.2.0-next.2","v1.2.0-next.3","v1.20.0","v1.20.0-next.0","v1.20.0-next.1","v1.20.0-next.2","v1.21.0","v1.21.0-next.0","v1.21.0-next.1","v1.21.0-next.2","v1.21.0-next.3","v1.21.0-next.4","v1.22.0","v1.22.0-next.0","v1.22.0-next.1","v1.22.0-next.2","v1.23.0","v1.23.0-next.0","v1.23.0-next.1","v1.23.0-next.2","v1.23.0-next.3","v1.24.0","v1.24.0-next.0","v1.24.0-next.1","v1.24.0-next.2","v1.24.1","v1.24.2","v1.25.0","v1.26.0","v1.26.0-next.0","v1.26.0-next.1","v1.27.0","v1.27.0-next.0","v1.27.0-next.1","v1.27.0-next.2","v1.28.0","v1.28.0-next.0","v1.28.0-next.1","v1.28.0-next.2","v1.28.0-next.3","v1.29.0","v1.29.0-next.0","v1.29.0-next.1","v1.29.0-next.2","v1.3.0","v1.3.0-next.0","v1.3.0-next.1","v1.3.0-next.2","v1.30.0","v1.30.0-next.0","v1.30.0-next.1","v1.30.0-next.2","v1.30.0-next.3","v1.30.0-next.4","v1.31.0","v1.31.0-next.0","v1.31.0-next.1","v1.31.0-next.2","v1.32.0","v1.32.0-next.0","v1.32.0-next.1","v1.32.0-next.2","v1.33.0","v1.33.0-next.0","v1.33.0-next.1","v1.33.0-next.2","v1.33.0-next.3","v1.34.0","v1.34.0-next.0","v1.34.0-next.1","v1.34.0-next.2","v1.35.0","v1.35.0-next.0","v1.35.0-next.1","v1.35.0-next.2","v1.36.0","v1.36.0-next.0","v1.36.0-next.1","v1.36.0-next.2","v1.36.0-next.3","v1.37.0","v1.37.0-next.0","v1.37.0-next.1","v1.37.0-next.2","v1.38.0","v1.38.0-next.0","v1.38.0-next.1","v1.38.0-next.2","v1.39.0","v1.39.0-next.0","v1.39.0-next.1","v1.39.0-next.2","v1.39.0-next.3","v1.4.0","v1.4.0-next.0","v1.4.0-next.1","v1.4.0-next.2","v1.4.0-next.3","v1.40.0","v1.40.0-next.0","v1.40.0-next.1","v1.40.0-next.2","v1.40.0-next.3","v1.41.0","v1.41.0-next.0","v1.41.0-next.1","v1.41.0-next.2","v1.42.0","v1.42.0-next.0","v1.42.0-next.1","v1.42.0-next.2","v1.42.0-next.3","v1.43.0","v1.43.0-next.0","v1.43.0-next.1","v1.43.0-next.2","v1.44.0","v1.44.0-next.0","v1.44.0-next.1","v1.44.0-next.2","v1.44.0-next.3","v1.45.0","v1.45.0-next.0","v1.45.0-next.1","v1.45.0-next.2","v1.45.0-next.3","v1.46.0","v1.46.0-next.0","v1.46.0-next.1","v1.46.0-next.2","v1.47.0","v1.47.0-next.0","v1.47.0-next.1","v1.47.0-next.2","v1.47.0-next.3","v1.48.0","v1.48.0-next.0","v1.48.0-next.1","v1.48.0-next.2","v1.48.1","v1.48.2","v1.48.3","v1.48.4","v1.5.0","v1.5.0-next.0","v1.5.0-next.1","v1.5.0-next.2","v1.5.0-next.3","v1.6.0","v1.6.0-next.0","v1.6.0-next.1","v1.6.0-next.2","v1.6.0-next.3","v1.7.0","v1.7.0-next.0","v1.7.0-next.1","v1.7.0-next.2","v1.8.0","v1.8.0-next.0","v1.8.0-next.1","v1.8.0-next.2","v1.9.0","v1.9.0-next.0","v1.9.0-next.1","v1.9.0-next.2","v1.9.0-next.3","v1.9.0-next.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32237.json","unresolved_ranges":[{"events":[{"introduced":"3.1.0"},{"fixed":"3.1.5"}]},{"events":[{"introduced":"0"},{"last_affected":"the"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}