Backstage is an open-source framework designed to build developer portals, and the plugin-scaffolder-backend is a component that facilitates scaffolding operations, including dry-run executions. CVE-2026-32237 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting versions of @backstage/plugin-scaffolder-backend prior to 3.1.5. The flaw arises because authenticated users who have permission to perform scaffolder dry-runs can retrieve server-configured environment secrets via the dry-run API response payload. While the system properly redacts secrets in log outputs, it fails to do so consistently in all parts of the API response, leading to inadvertent exposure of sensitive environment variables. This vulnerability specifically affects deployments that have configured the scaffolder.defaultEnvironment.secrets setting, which typically contains sensitive credentials or tokens necessary for deployment or build processes. Exploitation requires authenticated access with the ability to execute dry-run scaffolding commands, but no additional user interaction is needed. The vulnerability does not affect the integrity or availability of the system but poses a significant confidentiality risk by leaking secrets that could be leveraged for further attacks. The issue was publicly disclosed on March 12, 2026, with a CVSS v3.1 base score of 4.4 (medium severity), reflecting the network attack vector, high attack complexity, and required privileges. There are no known exploits in the wild at the time of disclosure. The vulnerability is remediated in version 3.1.5 of the plugin-scaffolder-backend, which properly redacts secrets in all API response sections.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive environment secrets to authenticated users with dry-run execution permissions. Such secrets often include API keys, tokens, or credentials that could be used to escalate privileges, access other systems, or exfiltrate data. Organizations relying on Backstage for developer portals and automated scaffolding may inadvertently expose critical secrets to internal users who should not have access, increasing the risk of insider threats or lateral movement by compromised accounts. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can lead to significant downstream impacts, including data breaches, unauthorized access to cloud resources, and disruption of deployment pipelines. The risk is heightened in environments where scaffolder.defaultEnvironment.secrets contain high-value credentials. Since exploitation requires authenticated access with specific permissions, the threat is more relevant to organizations with large developer teams or complex permission structures. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value environments.

To mitigate this vulnerability, organizations should upgrade the @backstage/plugin-scaffolder-backend to version 3.1.5 or later, where the issue is patched. Until the upgrade can be performed, restrict the permission to execute scaffolder dry-runs to only highly trusted users, minimizing the number of accounts that can access the vulnerable API. Review and audit the scaffolder.defaultEnvironment.secrets configuration to ensure that only necessary secrets are included and consider segregating secrets to limit exposure. Implement strict access controls and monitoring on the Backstage environment to detect unusual dry-run API usage or attempts to access secrets. Additionally, consider rotating any secrets that may have been exposed prior to patching. Employ network segmentation and least privilege principles to reduce the impact of any leaked credentials. Finally, maintain an up-to-date inventory of Backstage components and monitor vendor advisories for future updates or related vulnerabilities.