Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Published: 2026-03-12
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to force the Backstage application to make an outgoing HTTP request to a supplied client_id URL. Because the initial host name is validated against private IP ranges but the validation is not reapplied after HTTP redirects, a carefully crafted target can induce the server to reach internal resources. However, the attacker cannot read the response body, control request headers or the HTTP method, and the feature that triggers the fetch must be explicitly enabled via the experimental flag. Thus the practical impact is limited to probing internal network addresses that the application can reach. The weakness is a classic Server‑Side Request Forgery (CWE‑918).

Affected Systems

All deployments of the @backstage/plugin‑auth‑backend component earlier than version 0.27.1 are vulnerable. The plugin is part of the Backstage open‑source developer portal framework. If the application disables the experimental feature flag or restricts allowedClientIdPatterns to trusted domains, the vulnerability does not apply.

Risk and Exploitability

The vulnerability scores a CVSS of 1.7, indicating a low severity, and has a low EPSS (<1%). It is not listed in the CISA KEV catalog, implying a low likelihood of exploitation. An attacker would need the ability to modify the application configuration to enable the experimental flag and supply a target URL that redirects to an internal host. Because the exploit cannot retrieve sensitive data from the internal request, the overall risk remains low, but a patch is recommended to eliminate the possibility of internal network probing.

Generated by OpenCVE AI on April 16, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to @backstage/plugin‑auth‑backend version 0.27.1 or later
  • Disable the auth.experimentalClientIdMetadataDocuments.enabled flag if the experimental feature is not needed
  • Configure allowedClientIdPatterns to limit client_id URLs to trusted domains

Generated by OpenCVE AI on April 16, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qp4c-xg64-7c6x @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
History

Wed, 15 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage plugin-auth-backend
Vendors & Products Backstage
Backstage plugin-auth-backend

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Title @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Backstage Plugin-auth-backend
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:46:50.517Z

Reserved: 2026-03-11T14:47:05.683Z

Link: CVE-2026-32236

cve-icon Vulnrichment

Updated: 2026-03-12T20:38:13.637Z

cve-icon NVD

Status : Modified

Published: 2026-03-12T19:16:18.867

Modified: 2026-04-15T21:17:26.827

Link: CVE-2026-32236

cve-icon Redhat

Severity :

Publid Date: 2026-03-12T18:37:11Z

Links: CVE-2026-32236 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses