{"api_version":"1","generated_at":"2026-04-23T02:25:04+00:00","cve":"CVE-2026-3118","urls":{"html":"https://cve.report/CVE-2026-3118","api":"https://cve.report/api/cve/CVE-2026-3118.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3118","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3118"},"summary":{"title":"Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin","description":"A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-02-25 12:16:17","updated_at":"2026-04-22 20:16:41"},"problem_types":["CWE-89","CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:9742","name":"https://access.redhat.com/errata/RHSA-2026:9742","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-3118","name":"https://access.redhat.com/security/cve/CVE-2026-3118","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442273","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2442273","refsource":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3118","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3118","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Developer Hub 1.8","version":"unaffected sha256:bb763e2b7a9d101f73b03b9e1c5688e7034fd9d31413e890817bd4098a7d42f9 * rpm","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-02-24T12:08:42.955Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-02-24T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"To mitigate this issue, restrict network access to the Red Hat Developer Hub instance to trusted users and networks only. This limits the exposure of the vulnerable Orchestrator Plugin to unauthorized access.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Thibault Guittet for reporting this issue.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"3118","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"developer_hub","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"3118","cve":"CVE-2026-3118","epss":"0.000160000","percentile":"0.035520000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3118","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-25T16:28:17.442215Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-25T16:29:48.062Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:rhdh:1.8::el9"],"defaultStatus":"affected","packageName":"rhdh/rhdh-hub-rhel9","product":"Red Hat Developer Hub 1.8","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"sha256:bb763e2b7a9d101f73b03b9e1c5688e7034fd9d31413e890817bd4098a7d42f9","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"Red Hat would like to thank Thibault Guittet for reporting this issue."}],"datePublic":"2026-02-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T19:38:34.502Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:9742","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:9742"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-3118"},{"name":"RHBZ#2442273","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442273"}],"timeline":[{"lang":"en","time":"2026-02-24T12:08:42.955Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-24T00:00:00.000Z","value":"Made public."}],"title":"Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin","workarounds":[{"lang":"en","value":"To mitigate this issue, restrict network access to the Red Hat Developer Hub instance to trusted users and networks only. This limits the exposure of the vulnerable Orchestrator Plugin to unauthorized access."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-3118","datePublished":"2026-02-25T11:25:55.016Z","dateReserved":"2026-02-24T12:08:32.734Z","dateUpdated":"2026-04-22T19:38:34.502Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-25 12:16:17","lastModifiedDate":"2026-04-22 20:16:41","problem_types":["CWE-89","CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:developer_hub:-:*:*:*:*:*:*:*","matchCriteriaId":"C64C29AF-F32F-4AC1-BC84-276B4024D0C5"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3118","Ordinal":"1","Title":"Rhdh: graphql injection leading to platform-wide denial of servi","CVE":"CVE-2026-3118","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3118","Ordinal":"1","NoteData":"A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.","Type":"Description","Title":"Rhdh: graphql injection leading to platform-wide denial of servi"}]}}}