CVE-2026-32236

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.27.1

Description Backstage is an open framework for building developer portals. A Server-Side Request Forgery (SSRF) issue exists in the @backstage/plugin-auth-backend component when the auth.experimentalClientIdMetadataDocuments.enabled setting is enabled. The component validates the initial client id hostname against private IP ranges, but this validation is not applied after HTTP redirects. The impact is limited as an attacker cannot read the response body, control request headers, or the request method. The feature is disabled by default and deployments restricting allowedClientIdPatterns to trusted domains are not affected.

Recommendations Versions prior to 0.27.1: Update to version 0.27.1 or later. Versions prior to 0.27.1: Disable the experimental CIMD feature by setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. Versions prior to 0.27.1: Restrict allowedClientIdPatterns to specific trusted domains.