VIR Vulnerability Intelligence Relay

CVE-2026-3118

medium
Published 2026-02-25 · Modified 2026-05-05
CVSS v3
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
VIR risk
6.5

Description

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin Red Hat statement This MODERATE impact vulnerability in the Orchestrator Plugin of Red Hat Developer Hub (Backstage) allows an authenticated attacker to cause a platform-wide Denial of Service. By injecting specially crafted input into GraphQL API requests, an attacker can…

Description

rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin

Red Hat statement

This MODERATE impact vulnerability in the Orchestrator Plugin of Red Hat Developer Hub (Backstage) allows an authenticated attacker to cause a platform-wide Denial of Service. By injecting specially crafted input into GraphQL API requests, an attacker can disrupt backend query processing, leading to the application crashing and restarting. This issue temporarily prevents legitimate users from accessing the platform.

CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Errata / fixed releases

ProductPackageAdvisoryReleased
Red Hat Developer Hub 1.8rhdh/rhdh-hub-rhel9:1776784286RHSA-2026:97422026-04-22T00:00:00Z
Red Hat Developer Hub 1.9rhdh/rhdh-hub-rhel9:1777903262RHSA-2026:138262026-05-05T00:00:00Z

Apply commands

bash fix
Apply RHSA-2026:9742 for Red Hat Developer Hub 1.8
yum update -y rhdh/rhdh-hub-rhel9:1776784286
# or:
dnf upgrade -y rhdh/rhdh-hub-rhel9:1776784286

Application impact
VendorProductVersionsFixed
redhat redhatdeveloper_hub-

References

CWEs

CWE-89

💬 Discuss CVE-2026-3118 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.