High severity7.5NVD Advisory· Published Mar 12, 2026· Updated Apr 15, 2026

CVE-2026-32236

Description

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@backstage/plugin-auth-backendnpm	< 0.27.1	0.27.1

Affected products

Linux Foundation/Backstage
cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Range: <=0.27.0

Patches

17038abf2dfd

Merge commit from fork

https://github.com/backstage/backstageBen LambertMar 11, 2026via ghsa

commit

3 files changed · +42 −0

.changeset/fix-cimd-ssrf-redirect-bypass.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend': patch
+---
+
+Fixed a security vulnerability where the CIMD metadata fetch could follow HTTP redirects to internal hosts, bypassing SSRF protections.

plugins/auth-backend/src/service/CimdClient.test.ts+36 −0 modified

@@ -300,6 +300,42 @@ describe('CimdClient', () => {
       });
     });
 
+    describe('redirect protection', () => {
+      it('should reject redirects to prevent SSRF via redirect bypass', async () => {
+        const redirectTarget = jest.fn();
+
+        server.use(
+          rest.get(
+            'https://example.com/oauth-metadata.json',
+            (_req, res, ctx) => {
+              return res(
+                ctx.status(302),
+                ctx.set('Location', 'http://127.0.0.1:8080/internal'),
+              );
+            },
+          ),
+          rest.get('http://127.0.0.1:8080/internal', (req, res, ctx) => {
+            redirectTarget();
+            return res(
+              ctx.json({
+                client_id: 'https://example.com/oauth-metadata.json',
+                client_name: 'Sneaky Client',
+                redirect_uris: ['http://localhost:8080/callback'],
+              }),
+            );
+          }),
+        );
+
+        await expect(
+          fetchCimdMetadata({
+            clientId: 'https://example.com/oauth-metadata.json',
+          }),
+        ).rejects.toThrow('Failed to fetch client metadata');
+
+        expect(redirectTarget).not.toHaveBeenCalled();
+      });
+    });
+
     describe('HTTP error handling', () => {
       it('should throw for network errors', async () => {
         server.use(

plugins/auth-backend/src/service/CimdClient.ts+1 −0 modified

@@ -224,6 +224,7 @@ export async function fetchCimdMetadata(opts: {
       method: 'GET',
       headers: { Accept: 'application/json' },
       signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+      redirect: 'error',
     });
   } catch {
     throw new InputError('Failed to fetch client metadata');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07nvdPatchWEB
github.com/advisories/GHSA-qp4c-xg64-7c6xghsaADVISORY
github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6xnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32236ghsaADVISORY

News mentions

The AI engineering stack we built internally — on the platform we ship
Cloudflare Blog · Apr 20, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000