GHSA-p7g9-rp3g-mgfg MEDIUM npm/@backstage/plugin-catalog-unprocessed-entities-common

CVE: CVE-2026-44374

Impact

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is

an information disclosure vulnerability affecting Backstage installations using this module.

### Patches

This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.

### Workarounds

If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints

without upgrading.

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44374 | 📅 2026-05-06