CVE-2026-24048
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Description
### Impact The `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. ### Patches This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. ### Workarounds - Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects - Ensure allowed hosts do not have open redirect vulnerabilities - Use network-level controls to block access from Backstage to sensitive internal endpoints ### References - [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
How to fix CVE-2026-24048
To remediate CVE-2026-24048, upgrade the affected package to a fixed version below.
- —upgrade to 0.12.2 or later
Is CVE-2026-24048 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.12.2