Listen to this Post
The vulnerability resides in the experimental OIDC provider within the `@backstage/plugin-auth-backend` . It specifically affects instances where administrators have enabled either the experimental Dynamic Client Registration feature or the Client ID Metadata Documents feature, alongside configuring `allowedRedirectUriPatterns` . The flaw allows an attacker to craft a malicious redirect URI that bypasses the allowlist validation. This bypass is possible because the validation logic fails to properly resolve the URI, allowing an attacker-controlled host to pass as legitimate . If a victim user is tricked into approving the OAuth consent request for this manipulated redirect, their authorization code is sent to the attacker’s server . The attacker can then exchange this stolen authorization code for a valid access token, effectively compromising the victim’s account or data within the Backstage application . The attack requires explicit user interaction and depends on the administrator enabling non-default experimental features, which reduces the overall risk but still poses a significant threat to exposed instances .
dailycve form:
Platform: Backstage
Version: before 0.27.1
Vulnerability: OIDC redirect bypass
Severity: 5.9 MEDIUM
date: 2026-03-12
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability `CVE-2026-32235` carries a CVSS score of 5.9 (Medium), with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N . This indicates a network-based attack vector with high attack complexity, requiring user interaction. The primary impact is on confidentiality (High), with a secondary low impact on integrity. The exploitability score is relatively low due to the prerequisites of victim interaction and the need for experimental features to be enabled. The vulnerability was published and updated by GitHub on March 12, 2026, and is classified under CWE-601 (URL Redirection to Untrusted Site) . The official fix was committed and released in version `0.27.1` of the @backstage/plugin-auth-backend.
Bash Commands/Codes:
Check the current version of @backstage/plugin-auth-backend Run this in your Backstage backend directory yarn list --pattern @backstage/plugin-auth-backend Or using npm npm list @backstage/plugin-auth-backend To update to the patched version yarn upgrade @backstage/[email protected] With npm npm install @backstage/[email protected] Verify the update grep '@backstage/plugin-auth-backend' yarn.lock or grep '@backstage/plugin-auth-backend' package-lock.json
How Exploit:
- Prerequisite: Attacker identifies a Backstage instance that has enabled the “experimental Dynamic Client Registration” or “Client ID Metadata Documents” features.
- Crafting URI: The attacker crafts a malicious redirect URI that, despite pointing to an attacker-controlled domain, passes the `allowedRedirectUriPatterns` validation due to a parsing or validation flaw .
- Victim Interaction: The attacker lures a victim user into clicking a link that initiates the OIDC login flow with the malicious redirect URI.
- Token Harvesting: If the victim approves the OAuth consent screen, the authorization code is sent to the attacker’s server instead of the legitimate Backstage application .
- Session Takeover: The attacker exchanges the stolen authorization code for a valid access token, gaining unauthorized access to the victim’s Backstage session and data .
Protection from this CVE:
- Immediate Patching: Upgrade the `@backstage/plugin-auth-backend` package to version `0.27.1` or later .
- Disable Experimental Features: If the experimental OIDC features (Dynamic Client Registration or Client ID Metadata Documents) are not strictly necessary, disable them immediately .
- Review Allowlist: Carefully review any configured `allowedRedirectUriPatterns` to ensure they are as restrictive as possible and cannot be misinterpreted.
- User Education: Educate users about the risks of approving OAuth consent requests from untrusted or unexpected sources, as victim interaction is required for a successful exploit.
Impact:
A successful exploit allows an attacker to hijack a victim’s OAuth authorization code and exchange it for a valid access token . This results in unauthorized access to the victim’s account and the data accessible within the Backstage application. The impact is primarily on the confidentiality of user data, with a low potential for integrity violations if the attacker uses the compromised token to modify data . While victim interaction and non-default configurations are required, the risk is significant for organizations using these experimental OIDC features in production.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

