cbcvebase.
CVE-2026-29186
published 2026-03-07

CVE-2026-29186: Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.4th percentile
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
backstagebackstage< 1.14.31.14.3
backstageplugin-techdocs-node>= 0 < 1.14.31.14.3
linuxfoundationbackstage_plugin-techdocs-node< 1.14.31.14.3

Detection & IOCsextracted from sources · hover to see the quote

filenamemkdocs.yml
  • Monitor for unexpected or modified mkdocs.yml files in repositories tracked by Backstage TechDocs, particularly those containing unusual Python plugin/hook configurations not in the standard allowlist.
  • Alert on TechDocs build processes spawning unexpected Python child processes or executing Python code outside of normal MkDocs build operations, especially when 'runIn: local' is configured.
  • Audit commit history for changes to mkdocs.yml files in Backstage-tracked repositories, especially from accounts with recently granted commit access.
  • Enforce mandatory pull request (PR) reviews for any modifications made to the mkdocs.yml file as a detection/prevention control.
  • ·The vulnerability only affects Backstage instances running @backstage/plugin-techdocs-node prior to version 1.14.3; upgrade to 1.14.3 to patch.
  • ·Exploitation requires the attacker to have commit access to a repository tracked by Backstage, limiting the attack surface to trusted-but-malicious insiders or compromised contributor accounts.
  • ·When 'runIn: local' is configured, arbitrary Python code executes in the host TechDocs build process context; switching to 'runIn: docker' confines execution to a container.
  • ·Affected Red Hat products include rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) and ansible-automation-platform/automation-portal (Self-service automation portal 2).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.