Vulnerability Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Backstage | <= 0.27.0 |
Related Weaknesses (CWE)
References
- https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851Patch
- https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6xVendor Advisory
FAQ
What is CVE-2026-32236?
CVE-2026-32236 is a vulnerability with a CVSS score of 7.5 (HIGH). Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClient...
How severe is CVE-2026-32236?
CVE-2026-32236 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32236?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Backstage.