Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
0.0
Backstage Auth Backend Allows Attackers to Access Internal Resources
GHSA-qp4c-xg64-7c6x
CVE-2026-32236
Summary
A security flaw in the Backstage Auth Backend plugin allows attackers to access internal resources if the experimental CIMD feature is enabled. This can happen if the feature is turned on, but only if the attacker can trick the plugin into redirecting to a private IP address. To fix this, update to version 0.27.1 of the plugin, or turn off the experimental feature in your app-config or restrict access to trusted domains.
What to do
- Update backstage plugin-auth-backend to version 0.27.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| backstage | plugin-auth-backend | <= 0.27.1 | 0.27.1 |
Original title
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Original description
### Impact
A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD
metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects.
The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected.
### Patches
Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents.
### Workarounds
Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration.
Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern.
### References
- [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
- [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)
A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD
metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects.
The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected.
### Patches
Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents.
### Workarounds
Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration.
Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern.
### References
- [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
- [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026