CVE-2026-29186

@backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution

Assigner: GitHub_M
Reserved: 04.03.2026 Published: 07.03.2026 Updated: 07.03.2026

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CVSS Score: 7.7

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	backstage
Product	backstage
Versions	Version < 1.14.3 is affected

Vendor

backstage

Product

backstage

Versions

Version < 1.14.3 is affected

References

Problem Types

CWE-434: Unrestricted Upload of File with Dangerous Type CWE
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE

CVE-2026-29186 PUBLISHED

@backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution

Metrics

Product Status

References

Problem Types