Medium severity6.5NVD Advisory· Published Feb 25, 2026· Updated May 5, 2026
CVE-2026-3118
CVE-2026-3118
Description
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:redhat:developer_hub:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:developer_hub:-:*:*:*:*:*:*:*
- (no CPE)
Patches
Vulnerability mechanics
References
4- access.redhat.com/security/cve/CVE-2026-3118nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
- access.redhat.com/errata/RHSA-2026:13826nvd
- access.redhat.com/errata/RHSA-2026:9742nvd
News mentions
0No linked articles in our index yet.