VYPR

npm package

@backstage/plugin-auth-backend

pkg:npm/%40backstage/plugin-auth-backend

Vulnerabilities (3)

  • CVE-2026-32236HigMar 12, 2026
    affected < 0.27.1fixed 0.27.1

    Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates th

  • CVE-2026-32235Mar 12, 2026
    affected < 0.27.1fixed 0.27.1

    Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Met

  • CVE-2021-43776Nov 26, 2021
    affected < 0.4.9fixed 0.4.9

    Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate acces