CVE-2026-32235
Received Received - Intake
OIDC Redirect URI Bypass in Backstage Auth Backend Plugin

Publication date: 2026-03-12

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32235
EUVD
EUVD-2026-11671
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation backstage to 0.27.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32235 is a vulnerability in the experimental OIDC provider of the @backstage/plugin-auth-backend package prior to version 0.27.1. It involves a bypass of the redirect URI allowlist when certain experimental featuresβ€”Dynamic Client Registration or Client ID Metadata Documentsβ€”are enabled and allowedRedirectUriPatterns are configured.

An attacker can craft a malicious redirect URI that appears valid by passing the allowlist validation but actually redirects to an attacker-controlled host. If a user approves the OAuth consent request triggered by this URI, the attacker receives the victim’s authorization code, which can then be exchanged for a valid access token.

Exploitation requires user interaction and explicit enabling of the experimental features, which are not enabled by default. The vulnerability is fixed in version 0.27.1 of the plugin.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to a high confidentiality loss because an attacker can obtain a victim's OAuth authorization code and exchange it for a valid access token, potentially gaining unauthorized access to protected resources."}, {'type': 'paragraph', 'content': 'The impact includes low integrity loss and no availability impact. However, the attacker gaining access tokens can compromise sensitive data or perform actions on behalf of the victim.'}, {'type': 'paragraph', 'content': 'Exploitation requires user interaction and that the experimental features are explicitly enabled, which reduces the likelihood but does not eliminate the risk.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects instances of @backstage/plugin-auth-backend prior to version 0.27.1 where experimental features Dynamic Client Registration or Client ID Metadata Documents are enabled and allowedRedirectUriPatterns are configured.

Detection involves verifying if your Backstage instance is running a vulnerable version of the plugin and if the experimental features are enabled with allowedRedirectUriPatterns configured.

There are no specific network or system commands provided in the available resources to detect exploitation attempts or presence of this vulnerability.

A practical approach is to check the version of the @backstage/plugin-auth-backend package and inspect the configuration for experimental features related to Dynamic Client Registration or Client ID Metadata Documents.

Mitigation Strategies

The primary mitigation is to upgrade the @backstage/plugin-auth-backend package to version 0.27.1 or later, where this vulnerability is fixed.

As a workaround, if upgrading is not immediately possible, disable the experimental features Dynamic Client Registration and Client ID Metadata Documents if they are enabled, to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart