GHSA-QP4C-XG64-7C6X

Vulnerability from github – Published: 2026-03-12 14:51 – Updated: 2026-03-13 13:35
VLAI?
Summary
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.

The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

### Patches

Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.

### Workarounds

Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration. Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.

### References

Severity ?
0.0 (None)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-auth-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:51:02Z",
    "nvd_published_at": "2026-03-12T19:16:18Z",
    "severity": "LOW"
  },
  "details": "### Impact                                                                                                                                                                         \n                                                           \n  A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD \n  metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects.\n                          \n  The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly\n   enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected.\n\n  ### Patches\n\n  Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents.\n\n  ### Workarounds\n\n  Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration.\n   Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern.\n\n  ### References\n\n  - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)\n  - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)",
  "id": "GHSA-qp4c-xg64-7c6x",
  "modified": "2026-03-13T13:35:46Z",
  "published": "2026-03-12T14:51:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.