FKIE_CVE-2026-32236

Vulnerability from fkie_nvd - Published: 2026-03-12 19:16 - Updated: 2026-03-12 21:07
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
Summary
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
References
security-advisories@github.comhttps://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07
security-advisories@github.comhttps://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD\nmetadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1."
    },
    {
      "lang": "es",
      "value": "Backstage es un framework abierto para construir portales de desarrollador. Antes de 0.27.1, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en @backstage/plugin-auth-backend cuando auth.experimentalClientIdMetadataDocuments.enabled est\u00e1 configurado como true. La obtenci\u00f3n de metadatos CIMD valida el nombre de host client_id inicial contra rangos de IP privados, pero no aplica la misma validaci\u00f3n despu\u00e9s de las redirecciones HTTP. El impacto pr\u00e1ctico es limitado. El atacante no puede leer el cuerpo de la respuesta de la petici\u00f3n interna, no puede controlar las cabeceras o el m\u00e9todo de la petici\u00f3n, y la caracter\u00edstica debe habilitarse expl\u00edcitamente mediante una bandera experimental que est\u00e1 desactivada por defecto. Las implementaciones que restringen allowedClientIdPatterns a dominios de confianza espec\u00edficos no se ven afectadas. Parcheado en la versi\u00f3n 0.27.1 de @backstage/plugin-auth-backend."
    }
  ],
  "id": "CVE-2026-32236",
  "lastModified": "2026-03-12T21:07:53.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 0.0,
          "baseSeverity": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 0.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-12T19:16:18.867",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.