Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Backstage Plugin Auth Backend OAuth Redirect Bypass Exploit
GHSA-wqvh-63mv-9w92
CVE-2026-32235
Summary
The Backstage plugin auth backend has a security flaw that could allow an attacker to trick users into giving them an authorization code, which can be used to get a valid access token. This requires user interaction and is only possible if the experimental features are enabled. To fix this, upgrade to the latest version of the plugin or disable the affected features if they are not needed.
What to do
- Update backstage plugin-auth-backend to version 0.27.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| backstage | plugin-auth-backend | <= 0.27.1 | 0.27.1 |
Original title
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass
Original description
### Impact
The experimental OIDC provider in `@backstage/plugin-auth-backend` is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured `allowedRedirectUriPatterns` are affected.
A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.
This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.
### Patches
Upgrade to `@backstage/plugin-auth-backend` version 0.27.1 or later.
### Workarounds
Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.
### References
- [RFC 6749 Section 3.1.2 - Redirection Endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2)
The experimental OIDC provider in `@backstage/plugin-auth-backend` is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured `allowedRedirectUriPatterns` are affected.
A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.
This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.
### Patches
Upgrade to `@backstage/plugin-auth-backend` version 0.27.1 or later.
### Workarounds
Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.
### References
- [RFC 6749 Section 3.1.2 - Redirection Endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2)
ghsa CVSS3.1
5.9
Vulnerability type
CWE-20
Improper Input Validation
CWE-601
Open Redirect
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026