Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.
Published: 2026-03-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Code Interception
Action: Patch
AI Analysis

Impact

The vulnerability arises from the experimental OIDC provider in @backstage/plugin-auth-backend, which performs insufficient validation of redirect URIs against an allowlist. An attacker can craft a redirect URI that satisfies the allowlist pattern while targeting an attacker-controlled host. When a user authorizes the request, the resulting OAuth authorization code is sent to the attacker, who can then exchange it for a valid access token. This allows the attacker to obtain unauthorized access tokens, potentially compromising the confidentiality and integrity of protected resources. The weakness is identified as CWE-601 (Open Redirect).

Affected Systems

Any Backstage instance using @backstage/plugin-auth-backend prior to version 0.27.1 is affected, provided that the experimental Dynamic Client Registration or Client ID Metadata Documents features are enabled and allowedRedirectUriPatterns are configured. The vulnerability is present in all versions below 0.27.1 that include the experimental OIDC provider.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS suggests exploitation probability is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the victim to interact with the OAuth consent flow and the attacker must have an enabled experimental feature. The attack vector is network-based via OAuth, but necessitates user authorization. Because it relies on feature configuration and victim interaction, the overall risk to an unconfigured or unmanaged instance is limited, though impacted deployments should still remediate promptly.

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Backstage to version 0.27.1 or later to remove the vulnerability.
  • Disable experimental Dynamic Client Registration and Client ID Metadata Documents if you do not need them.
  • Review and tighten allowedRedirectUriPatterns to only include trusted hosts.
  • Verify that redirect URIs do not resolve to attacker-controlled domains.
  • Monitor OAuth consent logs for suspicious approvals and configure alerts.

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wqvh-63mv-9w92 @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass
History

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage plugin-auth-backend
Vendors & Products Backstage
Backstage plugin-auth-backend

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.
Title @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Backstage Plugin-auth-backend
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:46:46.618Z

Reserved: 2026-03-11T14:47:05.683Z

Link: CVE-2026-32235

cve-icon Vulnrichment

Updated: 2026-03-12T20:38:14.902Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:17.443

Modified: 2026-03-19T20:55:22.143

Link: CVE-2026-32235

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-12T18:35:06Z

Links: CVE-2026-32235 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:03Z

Weaknesses