Update dependency @backstage/plugin-catalog-backend-module-unprocessed to v0.6.11 - abandoned

[mend-on-mend]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-catalog-backend-module-unprocessed (source)	0.6.1 → 0.6.11

---

Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

CVE-2026-44374 / GHSA-p7g9-rp3g-mgfg

More information

Details

Impact

The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is
an information disclosure vulnerability affecting Backstage installations using this module.

Patches

This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. Users should upgrade all packages.

Workarounds

If users cannot upgrade, they can remove the @backstage/plugin-catalog-backend-module-unprocessed module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints
without upgrading.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-catalog-backend-module-unprocessed)

v0.6.11

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/errors@​1.3.1-next.0
  • @​backstage/plugin-auth-node@​0.7.1-next.0
  • @​backstage/backend-plugin-api@​1.9.1-next.0
  • @​backstage/catalog-model@​1.8.1-next.0
  • @​backstage/plugin-catalog-node@​2.2.1-next.0
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.15-next.0
  • @​backstage/plugin-permission-common@​0.9.9-next.0

v0.6.10

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0
  • @​backstage/errors@​1.3.0
  • @​backstage/plugin-auth-node@​0.7.0
  • @​backstage/catalog-model@​1.8.0
  • @​backstage/plugin-catalog-node@​2.2.0
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.14
  • @​backstage/plugin-permission-common@​0.9.8

v0.6.9

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0
  • @​backstage/plugin-catalog-node@​2.1.0
  • @​backstage/plugin-permission-common@​0.9.7
  • @​backstage/catalog-model@​1.7.7
  • @​backstage/plugin-auth-node@​0.6.14

v0.6.8

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​2.0.0
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/plugin-auth-node@​0.6.13
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.13

v0.6.7

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/plugin-auth-node@​0.6.10
  • @​backstage/backend-plugin-api@​1.6.0
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.12
  • @​backstage/plugin-catalog-node@​1.20.1

v0.6.6

Compare Source

Patch Changes

• 05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript's erasableSyntaxOnly setting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.
• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.20.0
  • @​backstage/backend-plugin-api@​1.5.0
  • @​backstage/plugin-permission-common@​0.9.3
  • @​backstage/plugin-auth-node@​0.6.9
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.11

v0.6.5

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.4.4
  • @​backstage/plugin-auth-node@​0.6.8
  • @​backstage/plugin-catalog-node@​1.19.1
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.10
  • @​backstage/plugin-permission-common@​0.9.2

v0.6.4

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.19.0
  • @​backstage/plugin-auth-node@​0.6.7
  • @​backstage/backend-plugin-api@​1.4.3

v0.6.3

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/plugin-catalog-node@​1.18.0
  • @​backstage/plugin-auth-node@​0.6.6
  • @​backstage/backend-plugin-api@​1.4.2

v0.6.2

Compare Source

Patch Changes

• Updated dependencies
  • @​backstage/plugin-permission-common@​0.9.1
  • @​backstage/catalog-model@​1.7.5
  • @​backstage/backend-plugin-api@​1.4.1
  • @​backstage/plugin-auth-node@​0.6.5
  • @​backstage/plugin-catalog-node@​1.17.2
  • @​backstage/plugin-catalog-unprocessed-entities-common@​0.0.9

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

[mend-on-mend]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[mend-on-mend]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.