CVE-2026-32235

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.27.1

Description Backstage, an open framework for building developer portals, has an issue in the experimental OIDC provider within the @backstage/plugin-auth-backend component. Specifically, a redirect URI allowlist bypass can occur in instances where experimental Dynamic Client Registration or Client ID Metadata Documents are enabled and allowedRedirectUriPatterns are configured. A crafted redirect URI can bypass validation and resolve to a host controlled by an attacker. If a user approves the resulting OAuth consent request, their authorization code is sent to the attacker, allowing them to obtain a valid access token. This requires user interaction and the explicit enabling of one of the experimental features, which is not the default configuration. The vulnerable component utilizes the allowedRedirectUriPatterns variable for validation.

Recommendations Upgrade to @backstage/plugin-auth-backend version 0.27.1 or later. Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.