CVE-2026-29186

HIGH

Backstage plugin-techdocs-node < 1.14.3 - Arbitrary Code Execution via MkDocs Configuration Bypass

Title source: llm

Description

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw

Scores

CVSS v3 7.7

EPSS 0.0048

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434 CWE-74

Status published

Products (2)

backstage/plugin-techdocs-node 0 - 1.14.3npm

linuxfoundation/backstage_plugin-techdocs-node < 1.14.3

Published Mar 07, 2026

Tracked Since Mar 07, 2026