CVE-2026-24046: Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

January 21, 2026 (updated January 22, 2026)

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-24046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →