Low severity2.7NVD Advisory· Published Mar 7, 2026· Updated Apr 25, 2026

CVE-2026-29185

Description

Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@backstage/integrationnpm	< 1.20.1	1.20.1

Affected products

Linux Foundation/Backstage\/integration
cpe:2.3:a:linuxfoundation:backstage\/integration:*:*:*:*:*:node.js:*:*
Range: <1.20.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/backstage/backstage/security/advisories/GHSA-95v5-prp4-5gv5nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-95v5-prp4-5gv5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-29185ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.176
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000