anonhaven
Ad

CVE-2026-32235

MEDIUM CVSS 3.1: 5.9 EPSS 0.03%
Updated Mar 12, 2026
Backstage
Parameter Value
CVSS 5.9 (MEDIUM)
Fixed In 0.27.1
Type CWE-601 (Open Redirect)
Vendor Backstage
Public PoC No

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected.

A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

This vulnerability is fixed in 0.27.1.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-601 Open Redirect

References 1

https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32236

Backstage

0.0

CVE-2026-29185

Backstage

2.7

CVE-2026-29184

Backstage

2.0