CVE-2026-29186
published 2026-03-07CVE-2026-29186: Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.4th percentile
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| backstage | backstage | < 1.14.3 | 1.14.3 |
| backstage | plugin-techdocs-node | >= 0 < 1.14.3 | 1.14.3 |
| linuxfoundation | backstage_plugin-techdocs-node | < 1.14.3 | 1.14.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected or modified mkdocs.yml files in repositories tracked by Backstage TechDocs, particularly those containing unusual Python plugin/hook configurations not in the standard allowlist. ↗
- →Alert on TechDocs build processes spawning unexpected Python child processes or executing Python code outside of normal MkDocs build operations, especially when 'runIn: local' is configured. ↗
- →Audit commit history for changes to mkdocs.yml files in Backstage-tracked repositories, especially from accounts with recently granted commit access. ↗
- →Enforce mandatory pull request (PR) reviews for any modifications made to the mkdocs.yml file as a detection/prevention control. ↗
- ·The vulnerability only affects Backstage instances running @backstage/plugin-techdocs-node prior to version 1.14.3; upgrade to 1.14.3 to patch. ↗
- ·Exploitation requires the attacker to have commit access to a repository tracked by Backstage, limiting the attack surface to trusted-but-malicious insiders or compromised contributor accounts. ↗
- ·When 'runIn: local' is configured, arbitrary Python code executes in the host TechDocs build process context; switching to 'runIn: docker' confines execution to a container. ↗
- ·Affected Red Hat products include rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) and ansible-automation-platform/automation-portal (Self-service automation portal 2). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
osv·2026-03-05
CVE-2026-29186 [HIGH] TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
### Impact
This is a configuration bypass vulnerability that enables arbitrary code execution. The `@backstage/plugin-techdocs-node` package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process.
A gap in this allowlist allows attackers to craft an `mkdocs.yml` that causes arbitrary Python code execution, completely bypassing TechDocs' security controls.
### Patches
Patched in `@backstage/plugin-techdocs-node` version 1.14.3
### Workarounds
If users cannot upgrade immediately:
1. Use Docker mode with restricted access: Configure TechDocs with `runIn: docker` instead of `runIn: local`. This provides container isolation, though it does not fully mitigate the risk.
2. Rest
GHSA
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
ghsa·2026-03-05
CVE-2026-29186 [HIGH] CWE-434 TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
### Impact
This is a configuration bypass vulnerability that enables arbitrary code execution. The `@backstage/plugin-techdocs-node` package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process.
A gap in this allowlist allows attackers to craft an `mkdocs.yml` that causes arbitrary Python code execution, completely bypassing TechDocs' security controls.
### Patches
Patched in `@backstage/plugin-techdocs-node` version 1.14.3
### Workarounds
If users cannot upgrade immediately:
1. Use Docker mode with restricted access: Configure TechDocs with `runIn: docker` instead of `runIn: local`. This provides container isolation, though it does not fully mitigate the risk.
2. Rest
Red Hat
backstage/plugin-techdocs-node: TechDocs Mkdocs configuration key enables arbitrary code execution
vendor_redhat·2026-03-07·CVSS 7.7
CVE-2026-29186 [HIGH] CWE-791 backstage/plugin-techdocs-node: TechDocs Mkdocs configuration key enables arbitrary code execution
backstage/plugin-techdocs-node: TechDocs Mkdocs configuration key enables arbitrary code execution
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
A flaw was found in Backstage. The backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build proc
No detection rules found.
No public exploits indexed.
https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrwhttps://access.redhat.com/errata/RHSA-2026:13826https://access.redhat.com/errata/RHSA-2026:9742https://access.redhat.com/security/cve/CVE-2026-29186https://bugzilla.redhat.com/show_bug.cgi?id=2445480https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29186.json
2026-03-07
Published