← Back to CVEs
CVE-2026-29186
HIGH7.7
Description
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
CVE Details
CVSS v3.1 Score7.7
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
Published3/7/2026
Last Modified3/11/2026
Sourcenvd
Honeypot Sightings0
Affected Products
linuxfoundation:backstage_plugin-techdocs-node
Weaknesses (CWE)
CWE-74CWE-434CWE-434
References
https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.