Backstage, OAuth Redirect Bypass, CVE-2026-32235 (Medium)

Listen to this Post

The vulnerability resides in the experimental OIDC provider within the `@backstage/plugin-auth-backend` . It specifically affects instances where administrators have enabled either the experimental Dynamic Client Registration feature or the Client ID Metadata Documents feature, alongside configuring `allowedRedirectUriPatterns` . The flaw allows an attacker to craft a malicious redirect URI that bypasses the allowlist validation. This bypass is possible because the validation logic fails to properly resolve the URI, allowing an attacker-controlled host to pass as legitimate . If a victim user is tricked into approving the OAuth consent request for this manipulated redirect, their authorization code is sent to the attacker’s server . The attacker can then exchange this stolen authorization code for a valid access token, effectively compromising the victim’s account or data within the Backstage application . The attack requires explicit user interaction and depends on the administrator enabling non-default experimental features, which reduces the overall risk but still poses a significant threat to exposed instances .

dailycve form:

Platform: Backstage
Version: before 0.27.1
Vulnerability: OIDC redirect bypass
Severity: 5.9 MEDIUM
date: 2026-03-12

Prediction: Patch already available

What Undercode Say:

Analytics:

The vulnerability `CVE-2026-32235` carries a CVSS score of 5.9 (Medium), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N . This indicates a network-based attack vector with high attack complexity, requiring user interaction. The primary impact is on confidentiality (High), with a secondary low impact on integrity. The exploitability score is relatively low due to the prerequisites of victim interaction and the need for experimental features to be enabled. The vulnerability was published and updated by GitHub on March 12, 2026, and is classified under CWE-601 (URL Redirection to Untrusted Site) . The official fix was committed and released in version `0.27.1` of the @backstage/plugin-auth-backend.

Bash Commands/Codes:

Check the current version of @backstage/plugin-auth-backend
Run this in your Backstage backend directory
yarn list --pattern @backstage/plugin-auth-backend
Or using npm
npm list @backstage/plugin-auth-backend
To update to the patched version
yarn upgrade @backstage/[email protected]
With npm
npm install @backstage/[email protected]
Verify the update
grep '@backstage/plugin-auth-backend' yarn.lock
or
grep '@backstage/plugin-auth-backend' package-lock.json

How Exploit:

  1. Prerequisite: Attacker identifies a Backstage instance that has enabled the “experimental Dynamic Client Registration” or “Client ID Metadata Documents” features.
  2. Crafting URI: The attacker crafts a malicious redirect URI that, despite pointing to an attacker-controlled domain, passes the `allowedRedirectUriPatterns` validation due to a parsing or validation flaw .
  3. Victim Interaction: The attacker lures a victim user into clicking a link that initiates the OIDC login flow with the malicious redirect URI.
  4. Token Harvesting: If the victim approves the OAuth consent screen, the authorization code is sent to the attacker’s server instead of the legitimate Backstage application .
  5. Session Takeover: The attacker exchanges the stolen authorization code for a valid access token, gaining unauthorized access to the victim’s Backstage session and data .

Protection from this CVE:

  • Immediate Patching: Upgrade the `@backstage/plugin-auth-backend` package to version `0.27.1` or later .
  • Disable Experimental Features: If the experimental OIDC features (Dynamic Client Registration or Client ID Metadata Documents) are not strictly necessary, disable them immediately .
  • Review Allowlist: Carefully review any configured `allowedRedirectUriPatterns` to ensure they are as restrictive as possible and cannot be misinterpreted.
  • User Education: Educate users about the risks of approving OAuth consent requests from untrusted or unexpected sources, as victim interaction is required for a successful exploit.

Impact:

A successful exploit allows an attacker to hijack a victim’s OAuth authorization code and exchange it for a valid access token . This results in unauthorized access to the victim’s account and the data accessible within the Backstage application. The impact is primarily on the confidentiality of user data, with a low potential for integrity violations if the attacker uses the compromised token to modify data . While victim interaction and non-default configurations are required, the risk is significant for organizations using these experimental OIDC features in production.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top