CVE-2026-24048: Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`

January 21, 2026 (updated January 22, 2026)

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

References

github.com/advisories/GHSA-q2x5-4xjx-c6p9
github.com/backstage/backstage
github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
nvd.nist.gov/vuln/detail/CVE-2026-24048

Code Behaviors & Features

Detect and mitigate CVE-2026-24048 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →