Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Published: 2026-03-12
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF)
Action: Apply Patch
AI Analysis

Impact

Prior to version 0.27.1, the Backstage plugin‑auth‑backend contains a Server‑Side Request Forgery vulnerability that is triggered when the experimental configuration flag `auth.experimentalClientIdMetadataDocuments.enabled` is set to true. During the CIMD metadata fetch, the initial `client_id` hostname is validated against private IP ranges, but the same validation is not reapplied after HTTP redirects, allowing the server to make internal network requests. The attacker cannot read the response body, cannot control request headers or method, and the feature is disabled by default. As a result, the vulnerability is limited to internal network reconnaissance and indirect reachability.

Affected Systems

All releases of @backstage/plugin‑auth‑backend before version 0.27.1 are vulnerable when the experimental flag is enabled. Deployments that have the flag disabled—its default state—or that restrict `allowedClientIdPatterns` to trusted domains are not affected. The affected product is part of the open‑source Backstage developer portal framework.

Risk and Exploitability

The EPSS score is less than 1 % and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating a low probability of automated exploitation. The practical impact is limited, but exploiting the flaw requires the attacker to enable the experimental flag, which in typical deployments requires administrative configuration changes. Based on the description, it is inferred that an attacker would need such administrative access to modify the configuration and trigger the SSRF path. The risk remains low unless such privileged changes are made, at which point internal network discovery could occur.

Generated by OpenCVE AI on March 18, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update @backstage/plugin‑auth-backend to version 0.27.1 or later.
  • If an immediate upgrade is not possible, disable the experimental configuration flag `auth.experimentalClientIdMetadataDocuments.enabled`.
  • Optionally, configure `allowedClientIdPatterns` to allow only trusted domains to reduce residual risk.

Generated by OpenCVE AI on March 18, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qp4c-xg64-7c6x @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage plugin-auth-backend
Vendors & Products Backstage
Backstage plugin-auth-backend

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Title @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Backstage Plugin-auth-backend
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:46:40.754Z

Reserved: 2026-03-11T14:47:05.683Z

Link: CVE-2026-32236

cve-icon Vulnrichment

Updated: 2026-03-12T20:38:13.637Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:18.867

Modified: 2026-04-13T14:23:13.453

Link: CVE-2026-32236

cve-icon Redhat

Severity :

Publid Date: 2026-03-12T18:37:11Z

Links: CVE-2026-32236 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:01Z

Weaknesses