CVE-2026-24046: Symlink Slide: Escaping the Backstage Scaffolder Jail

#security #cve #cybersecurity

Symlink Slide: Escaping the Backstage Scaffolder Jail

Vulnerability ID: CVE-2026-24046
CVSS Score: 7.1
Published: 2026-01-21

A high-severity path traversal vulnerability in Spotify's Backstage Scaffolder allows attackers to escape the workspace sandbox using symbolic links. By crafting malicious templates, attackers can read sensitive files, delete arbitrary data, or write outside the intended directory.

TL;DR

The Backstage Scaffolder didn't verify if symbolic links pointed outside the workspace before following them. An attacker can create a template that links to /etc/passwd (or other secrets), and use the debug:log action to print the contents of that file to the logs. It's a classic symlink race condition turned into a reliable jailbreak.

⚠️ Exploit Status: POC

Technical Details

CVE ID: CVE-2026-24046
CVSS v3.1: 7.1 (High)
CWEs: CWE-22, CWE-59
Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector: Symlink Path Traversal
Impact: Arbitrary File Read/Write/Delete

Affected Systems

Backstage Developer Portal
Scaffolder Backend Plugin
Node.js environments running vulnerable Backstage versions
@backstage/backend-defaults: < 0.12.2 (Fixed in: 0.12.2)
@backstage/plugin-scaffolder-backend: 3.0.0 - 3.0.1 (Fixed in: 3.0.2)
@backstage/plugin-scaffolder-node: < 0.11.2 (Fixed in: 0.11.2)

Code Analysis

Commit: c641c14

Fix symlink traversal in scaffolder actions

const targetPath = platformPath.resolve(linkDir, entry.linkpath);
if (!isChildPath(dir, targetPath)) { return false; }

Exploit Details

Manual: Create a template with 'ln -s' and use 'debug:log' to read target files.

Mitigation Strategies

Input Validation: Ensure all file operations resolve paths and verify they reside within the intended jail.
Least Privilege: Run Backstage processes with minimal filesystem permissions.
Containerization: Isolate the Backstage backend to limit the blast radius of local file inclusion/deletion.

Remediation Steps: