Skip to main content

Backstage CVE-2026-32236

LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-12 security-advisories@github.com GHSA-qp4c-xg64-7c6x
1.7
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 15, 2026 - 21:22 NVD
1.7 (LOW)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 19:16 nvd
NONE

DescriptionGitHub Advisory

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

AnalysisAI

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.

The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

Patches

Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.

Workarounds

Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration. Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.

References

Technical ContextAI

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).

RemediationAI

A vendor patch is available — apply it immediately. Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

CVE-2023-35926 CRITICAL
9.9 Jun 22

Backstage is an open platform for building developer portals. Rated critical severity (CVSS 9.9), this vulnerability is

CVE-2026-25153 HIGH
8.8 Jan 30

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a

CVE-2021-43783 HIGH
8.5 Nov 29

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated high severity (C

CVE-2024-45816 MEDIUM
6.5 Sep 17

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is r

CVE-2024-45815 MEDIUM
6.5 Sep 17

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is r

CVE-2021-32662 MEDIUM
6.5 Jun 03

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Ba

CVE-2023-6944 MEDIUM
5.7 Jan 04

A flaw was found in the Red Hat Developer Hub (RHDH). Rated medium severity (CVSS 5.7), this vulnerability is remotely e

CVE-2024-46976 MEDIUM
5.4 Sep 17

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2026-25152 MEDIUM
5.3 Jan 30

Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authen

CVE-2021-41151 MEDIUM
4.9 Oct 18

Backstage is an open platform for building developer portals. Rated medium severity (CVSS 4.9), this vulnerability is re

Share

CVE-2026-32236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy