CVE-2026-32235

Description

### Impact The experimental OIDC provider in `@backstage/plugin-auth-backend` is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured `allowedRedirectUriPatterns` are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. ### Patches Upgrade to `@backstage/plugin-auth-backend` version 0.27.1 or later. ### Workarounds Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required. ### References - [RFC 6749 Section 3.1.2 - Redirection Endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2)

How to fix CVE-2026-32235

To remediate CVE-2026-32235, upgrade the affected package to a fixed version below.

• —upgrade to 0.27.1 or later

Is CVE-2026-32235 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.27.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32235
• PATCHgithub.com/backstage/backstage
• WEBgithub.com/backstage/backstage/commit/6042dd0c7f0706e0f473dafa92799ecf19c825ec
• WEBgithub.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92