CVE-2026-32236

low-risk
Published 2026-03-12

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance

Affected Products (1)

Backstage

Affected Vendors

Linuxfoundation

References (2)

Patch https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851...
Vendor Advisory https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x
8
/ 100
low-risk
Severity 3/34 · Minimal
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal