Platform
nodejs
Component
@backstage/plugin-auth-backend
Fixed in
0.27.2
0.27.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the @backstage/plugin-auth-backend plugin, specifically affecting versions prior to 0.27.1. This vulnerability allows attackers to potentially bypass hostname validation after HTTP redirects when auth.experimentalClientIdMetadataDocuments.enabled is enabled. The vulnerability was published on 2026-03-12 and a fix is available in version 0.27.1.
The SSRF vulnerability arises from insufficient validation of hostnames after HTTP redirects within the Client Identity Metadata Documents (CIMD) fetching process. When auth.experimentalClientIdMetadataDocuments.enabled is set to true, the plugin attempts to fetch metadata, but the validation of the initial client_id hostname against private IP ranges is bypassed after redirects. This allows an attacker to craft a malicious redirect that points to an internal resource, effectively bypassing the intended security controls. Successful exploitation could lead to unauthorized access to internal services or data, potentially exposing sensitive information or enabling further attacks within the internal network. The impact is limited by the scope of the plugin and the configuration of the auth.experimentalClientIdMetadataDocuments feature.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the SSRF nature of the vulnerability suggests a moderate likelihood of exploitation if a POC is released. The CVSS score of 2.5 (LOW) reflects the limited scope and potential impact. The vulnerability was disclosed publicly on 2026-03-12.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32236 is to upgrade to @backstage/plugin-auth-backend version 0.27.1 or later, which includes the necessary hostname validation fixes. If upgrading is not immediately feasible, consider disabling the auth.experimentalClientIdMetadataDocuments.enabled feature. This will prevent the vulnerable metadata fetching process from executing. As a temporary workaround, implement a Web Application Firewall (WAF) or proxy rules to filter out requests containing suspicious redirects or internal IP addresses. Monitor logs for unusual outbound requests originating from the plugin.
Update the @backstage/plugin-auth-backend plugin to version 0.27.1 or higher to mitigate the SSRF vulnerability. Ensure that the `auth.experimentalClientIdMetadataDocuments.enabled` option is disabled unless absolutely necessary. If enabled, restrict `allowedClientIdPatterns` to specific trusted domains.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32236 is a Server-Side Request Forgery (SSRF) vulnerability in @backstage/plugin-auth-backend versions prior to 0.27.1. It allows attackers to bypass hostname validation after HTTP redirects when CIMD is enabled.
You are affected if you are using @backstage/plugin-auth-backend versions 0.27.0 or earlier and have auth.experimentalClientIdMetadataDocuments.enabled set to true.
Upgrade to @backstage/plugin-auth-backend version 0.27.1 or later. Alternatively, disable auth.experimentalClientIdMetadataDocuments.enabled.
There is no confirmed active exploitation at this time, but the SSRF nature of the vulnerability suggests a potential risk.
Refer to the Backstage security advisories and release notes for details: [https://backstage.io/security](https://backstage.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.