CVE-2026-32235

MEDIUM EPSS 3.7%
Published Mar 12, 20263mo ago · Modified Jun 17, 20262w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Mar 12, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.

CVSS Details

Base Score
4.7
Exploitability
1.6
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
3.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-601

Affected Products 1

VendorProductVersionRange
linuxfoundationbackstage* ≤0.27.0

References 1

  • github.com https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.