CVE-2026-32235
OIDC Redirect URI Bypass in Backstage Auth Backend Plugin
Publication date: 2026-03-12
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | backstage | to 0.27.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32235 is a vulnerability in the experimental OIDC provider of the @backstage/plugin-auth-backend package prior to version 0.27.1. It involves a bypass of the redirect URI allowlist when certain experimental featuresβDynamic Client Registration or Client ID Metadata Documentsβare enabled and allowedRedirectUriPatterns are configured.
An attacker can craft a malicious redirect URI that appears valid by passing the allowlist validation but actually redirects to an attacker-controlled host. If a user approves the OAuth consent request triggered by this URI, the attacker receives the victimβs authorization code, which can then be exchanged for a valid access token.
Exploitation requires user interaction and explicit enabling of the experimental features, which are not enabled by default. The vulnerability is fixed in version 0.27.1 of the plugin.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to a high confidentiality loss because an attacker can obtain a victim's OAuth authorization code and exchange it for a valid access token, potentially gaining unauthorized access to protected resources."}, {'type': 'paragraph', 'content': 'The impact includes low integrity loss and no availability impact. However, the attacker gaining access tokens can compromise sensitive data or perform actions on behalf of the victim.'}, {'type': 'paragraph', 'content': 'Exploitation requires user interaction and that the experimental features are explicitly enabled, which reduces the likelihood but does not eliminate the risk.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects instances of @backstage/plugin-auth-backend prior to version 0.27.1 where experimental features Dynamic Client Registration or Client ID Metadata Documents are enabled and allowedRedirectUriPatterns are configured.
Detection involves verifying if your Backstage instance is running a vulnerable version of the plugin and if the experimental features are enabled with allowedRedirectUriPatterns configured.
There are no specific network or system commands provided in the available resources to detect exploitation attempts or presence of this vulnerability.
A practical approach is to check the version of the @backstage/plugin-auth-backend package and inspect the configuration for experimental features related to Dynamic Client Registration or Client ID Metadata Documents.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the @backstage/plugin-auth-backend package to version 0.27.1 or later, where this vulnerability is fixed.
As a workaround, if upgrading is not immediately possible, disable the experimental features Dynamic Client Registration and Client ID Metadata Documents if they are enabled, to prevent exploitation.