CVE-2026-32235

MEDIUM

Backstage <0.27.1 - Open Redirect

Title source: llm

Description

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.

References (1)

[Vendor Advisory] https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92

Scores

CVSS v3 5.9

EPSS 0.0003

EPSS Percentile 8.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

Details

CWE

CWE-601

Status published

Products (2)

backstage/plugin-auth-backend 0 - 0.27.1npm

linuxfoundation/backstage < 0.27.0

Published Mar 12, 2026

Tracked Since Mar 13, 2026