How serious is CVE-2026-3118?

This vulnerability has a CVSS score of 6.5 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-3118?

Yes, proof-of-concept exploit code for CVE-2026-3118 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-3118?

CVE-2026-3118 affects redhat developer hub. Check the full CVE details for specific version information.

How do I fix CVE-2026-3118?

To remediate CVE-2026-3118, check for security patches from redhat. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-3118

Medium

|6.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can crash the Red Hat Developer Hub application by sending specially crafted input through API requests, causing a Denial of Service that temporarily locks out all legitimate users. This vulnerability requires the attacker to be an authenticated user, meaning they already have access to the system.

Technical Description

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$931($500-$1K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Feb 25, 2026

about 1 month ago

Last Modified

Feb 27, 2026

about 1 month ago

Vendor

redhat

Product

developer hub

Related Vulnerabilities

CVE-2025-12150Low

An attacker can register fake or untrusted authentication devices in Keycloak, even if the system is set to require secure verification, by submitting a specific type of data that bypasses security checks. This vulnerability weakens the overall security of user authentication, but it requires the attacker to have access to the registration process.

CVE-2026-0980High

An attacker with the right permissions can exploit a flaw in the Red Hat Satellite system to run their own code remotely by creating a specially crafted username for the Baseboard Management Controller. This requires the attacker to already have access to create or update hosts within the system.

CVE-2026-0871Medium

An attacker with the `manage-users` permission can change user profile information that should be restricted, bypassing security settings meant to protect unmanaged attributes. This means that if someone has this admin role, they can make unauthorized modifications to user data, even when the system is supposed to prevent it.

CVE-2026-26104Medium

An attacker can exploit a flaw in the udisks storage management system to access and back up sensitive encryption information from LUKS-encrypted drives without proper authorization. This vulnerability requires the attacker to have access to the system as an unprivileged user, allowing them to potentially compromise the confidentiality of encrypted data.

CVE-2026-26103High

An attacker with local access can exploit a flaw in the udisks storage management tool to overwrite encryption settings on protected drives, potentially making the data permanently inaccessible. This requires no special privileges, meaning any regular user on the system could cause significant data loss and disrupt access to encrypted volumes.