Medium severity4.4NVD Advisory· Published Mar 12, 2026· Updated Apr 30, 2026

CVE-2026-32237

Description

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@backstage/plugin-scaffolder-backendnpm	>= 3.1.0, < 3.1.5	3.1.5

Affected products

Linux Foundation/Backstage\/plugin Scaffolder Backend
cpe:2.3:a:linuxfoundation:backstage\/plugin-scaffolder-backend:*:*:*:*:*:node.js:*:*
Range: >=3.1.0,<3.1.5

Patches

3b62dd2d6bf7

Merge commit from fork

https://github.com/backstage/backstageBen LambertMar 11, 2026via ghsa

commit

3 files changed · +43 −2

.changeset/fix-scaffolder-dryrun-secrets.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-scaffolder-backend': patch
+---
+
+Fixed a security vulnerability where server-configured environment secrets were exposed through the scaffolder dry-run endpoint.

plugins/scaffolder-backend/src/scaffolder/tasks/NunjucksWorkflowRunner.test.ts+36 −0 modified

@@ -2053,6 +2053,42 @@ describe('NunjucksWorkflowRunner', () => {
       expect(fakeActionHandler.mock.calls[0][0].step.id).toEqual('test');
       expect(fakeActionHandler.mock.calls[0][0].step.name).toEqual('name');
     });
+
+    it('should not pass environment secrets or task secrets to action inputs during dry-run', async () => {
+      const dryRunHandler = jest.fn();
+      actionRegistry.register(
+        createTemplateAction({
+          id: 'jest-dryrun-action',
+          description: 'Mock action with dry-run support',
+          supportsDryRun: true,
+          handler: dryRunHandler,
+        }),
+      );
+
+      const task = createMockTaskWithSpec(
+        {
+          steps: [
+            {
+              id: 'test',
+              name: 'name',
+              action: 'jest-dryrun-action',
+              input: {
+                envSecret: '${{ environment.secrets.AWS_ACCESS_KEY }}',
+                taskSecret: '${{ secrets.mySecret }}',
+              },
+            },
+          ],
+        },
+        { mySecret: 'task-secret-value', backstageToken: token },
+        true,
+      );
+
+      await runner.execute(task);
+
+      const handlerCall = dryRunHandler.mock.calls[0][0];
+      expect(handlerCall.input.envSecret).toBeUndefined();
+      expect(handlerCall.input.taskSecret).toBeUndefined();
+    });
   });
 
   describe('permissions', () => {

plugins/scaffolder-backend/src/scaffolder/tasks/NunjucksWorkflowRunner.ts+2 −2 modified

@@ -392,9 +392,9 @@ export class NunjucksWorkflowRunner implements WorkflowRunner {
         ...context,
         environment: {
           parameters: this.environment?.parameters ?? {},
-          secrets: this.environment?.secrets ?? {},
+          secrets: task.isDryRun ? {} : this.environment?.secrets ?? {},
         },
-        secrets: task.secrets ?? {},
+        secrets: task.isDryRun ? {} : task.secrets ?? {},
       };
 
       const resolvedEach =

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/backstage/backstage/commit/3b62dd2d6bf7623ebd23e4b5a6dceb209f98dfcenvdPatchWEB
github.com/advisories/GHSA-8wq8-6859-qx77ghsaADVISORY
github.com/backstage/backstage/security/advisories/GHSA-8wq8-6859-qx77nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32237ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000