CVE-2026-3118

MEDIUM

Red Hat Developer Hub - DoS

Title source: llm

Description

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-3118

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2442273

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-89

Status published

Affected Products (1)

redhat/developer_hub

Timeline

Published Feb 25, 2026

Tracked Since Feb 25, 2026