What is CVE-2026-44374?

CVE-2026-44374 is a medium-severity vulnerability in @Backstage Plugin-catalog-backend-module-unprocessed, classified under Incorrect Authorization. CVSS score: 4.3/10. Published 2026-05-14.

How severe is CVE-2026-44374?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Auth bypass in @Backstage Plugin-catalog-backend-module-unprocessed

CVE-2026-44374

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticat…

Vulnerability class: Broken Access Control

EPSS: 0.000 (9.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

@Backstage Plugin-catalog-backend-module-unprocessed — versions < 0.6.11
@Backstage Plugin-catalog-unprocessed-entities — versions < 0.2.30
@Backstage Plugin-catalog-unprocessed-entities-common — versions < 0.0.15
Linuxfoundation Backstage\/plugin-catalog-backend-module-unprocessed
Linuxfoundation Backstage\/plugin-catalog-unprocessed-entities
Linuxfoundation Backstage\/plugin-catalog-unprocessed-entities-common

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-44374?: CVE-2026-44374 is a medium-severity vulnerability in @Backstage Plugin-catalog-backend-module-unprocessed, classified under Incorrect Authorization. CVSS score: 4.3/10. Published 2026-05-14.
How severe is CVE-2026-44374?: Medium severity. CVSS v3 base score is 4.3 out of 10.