Is this vulnerability remotely exploitable?

It can be, depending on how TechDocs is connected to documentation sources. If an attacker can push changes to a repository or documentation source that TechDocs builds—such as through a compromised developer account or a public-facing contribution flow—then they may trigger arbitrary code execution during the build without direct access to the Backstage host.

What level of access does an attacker need?

The attacker needs the ability to influence or control `mkdocs.yml` (and potentially related documentation files) for a project that TechDocs will build. This is often equivalent to write access to a source code repository or documentation repo integrated with Backstage. No direct shell access to the Backstage server is required.

What is the safest general fix pattern?

The strongest fix is to treat `mkdocs.yml` as untrusted data and enforce a strict, minimal schema that only permits configurations known to be safe. Combined with disabling or tightly restricting dynamic features and plugins, and running MkDocs in a sandboxed, least-privilege environment, this drastically reduces the risk of configuration-driven code execution.

Severity:

HIGH RISK

(7.7)

Configuration Injection Leading to Code Execution (CWE-74) in Backstage TechDocs MkDocs Integration

CVE-2026-29186

Published:

Mar 7, 2026

Status:

Received

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-78

CRITICAL RISK

CRITICAL

(9.9)

Command Injection in MCP Stdio Configuration Validation (CWE-78) in WeKnora

Remote Code Execution

March 7, 2026

CWE-89

CRITICAL RISK

CRITICAL

(9.9)

SQL Injection via PostgreSQL Array/Row Expressions (CWE-89) in WeKnora Query Engine

Remote Code Execution via SQL Injection on the Database Server

March 7, 2026

Vulnerability Type

Category:

Configuration Injection / Code Execution via Unsafe Configuration Handling

CWE:

CWE-74;CWE-434

Impact:

Arbitrary Code Execution during Documentation Build

Severity:

HIGH RISK

(7.7)

CVSS Version:

3.1

Vulnerability Type

Category:

Configuration Injection / Code Execution via Unsafe Configuration Handling

CWE:

CWE-74;CWE-434

Impact:

Arbitrary Code Execution during Documentation Build

Severity:

HIGH RISK

(7.7)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Configuration Injection Leading to Code Execution (CWE-74) in Backstage TechDocs MkDocs Integration

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.9)

Command Injection in MCP Stdio Configuration Validation (CWE-78) in WeKnora

CRITICAL RISK

CRITICAL

(9.9)

SQL Injection via PostgreSQL Array/Row Expressions (CWE-89) in WeKnora Query Engine

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare