CVE-2026-44374: Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

May 6, 2026

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module.

References

github.com/advisories/GHSA-p7g9-rp3g-mgfg
github.com/backstage/backstage
github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg
nvd.nist.gov/vuln/detail/CVE-2026-44374

Code Behaviors & Features

Detect and mitigate CVE-2026-44374 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →