Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-3118

Опубликовано: 24 фев. 2026
Источник: redhat
CVSS3: 6.5

Описание

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

Отчет

This MODERATE impact vulnerability in the Orchestrator Plugin of Red Hat Developer Hub (Backstage) allows an authenticated attacker to cause a platform-wide Denial of Service. By injecting specially crafted input into GraphQL API requests, an attacker can disrupt backend query processing, leading to the application crashing and restarting. This issue temporarily prevents legitimate users from accessing the platform.

Меры по смягчению последствий

To mitigate this issue, restrict network access to the Red Hat Developer Hub instance to trusted users and networks only. This limits the exposure of the vulnerable Orchestrator Plugin to unauthorized access.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Developer Hubrhdh/rhdh-hub-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=2442273rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-3118

CVSS3: 6.5
nvd
30 дней назад

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

github логотип

GHSA-qvwr-8759-6g2c

CVSS3: 6.5
github
30 дней назад

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

6.5 Medium

CVSS3