Vulnerability DatabaseCVE-2026-32236
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32236
March 12, 2026
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Affected Packages
https://github.com/backstage/backstage.git (GITHUB):
Affected version(s) >=v0.1.0 <v1.48.5
Fix Suggestion:
Update to version v1.48.5
@backstage/plugin-auth-backend (NPM):
Affected version(s) >=0.0.0-nightly-2020972106 <0.27.1
Fix Suggestion:
Update to version 0.27.1
Related Resources (4)
https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07
https://nvd.nist.gov/vuln/detail/CVE-2026-32236
https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x
https://github.com/backstage/backstage
Do you need more information?
Contact Us
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918
EPSS
Base Score:
0.04