CVE-2026-32236
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Description
### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. ### Patches Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. ### Workarounds Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. ### References - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)
How to fix CVE-2026-32236
To remediate CVE-2026-32236, upgrade the affected package to a fixed version below.
- —upgrade to 0.27.1 or later
Is CVE-2026-32236 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.