Symlink Slide: Escaping the Backstage Scaffolder Jail
Jan 22, 2026·6 min read·15 visits
Executive Summary (TL;DR)
The Backstage Scaffolder didn't verify if symbolic links pointed outside the workspace before following them. An attacker can create a template that links to `/etc/passwd` (or other secrets), and use the `debug:log` action to print the contents of that file to the logs. It's a classic symlink race condition turned into a reliable jailbreak.
A high-severity path traversal vulnerability in Spotify's Backstage Scaffolder allows attackers to escape the workspace sandbox using symbolic links. By crafting malicious templates, attackers can read sensitive files, delete arbitrary data, or write outside the intended directory.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@backstage/backend-defaults Spotify/Backstage | < 0.12.2 | 0.12.2 |
@backstage/plugin-scaffolder-backend Spotify/Backstage | 3.0.0 - 3.0.1 | 3.0.2 |
@backstage/plugin-scaffolder-node Spotify/Backstage | < 0.11.2 | 0.11.2 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-24046 |
| CVSS v3.1 | 7.1 (High) |
| CWEs | CWE-22, CWE-59 |
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
| Attack Vector | Symlink Path Traversal |
| Impact | Arbitrary File Read/Write/Delete |
MITRE ATT&CK Mapping
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') leading to access of files outside the intended scope via symbolic links.