CVE-2026-44374
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks
Description
### Impact The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. ### Patches This is patched in `@backstage/plugin-catalog-backend-module-unprocessed` version 0.6.11, `@backstage/plugin-catalog-unprocessed-entities-common` version 0.0.15 and `@backstage/plugin-catalog-unprocessed-entities` version 0.2.30. Users should upgrade all packages. ### Workarounds If users cannot upgrade, they can remove the `@backstage/plugin-catalog-backend-module-unprocessed` module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints without upgrading.
How to fix CVE-2026-44374
To remediate CVE-2026-44374, upgrade the affected package to a fixed version below.
- —upgrade to 0.6.11 or later
- —upgrade to 0.2.30 or later
- —upgrade to 0.0.15 or later
Is CVE-2026-44374 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.