VulnerableCode Package Details - pkg:npm/%40backstage/plugin-auth-backend@0.10.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-g3nc-3rdj-akh2 Aliases: CVE-2026-32235 GHSA-wqvh-63mv-9w92	Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.	0.27.1 Affected by 0 other vulnerabilities.
VCID-k15p-db8h-sqbz Aliases: CVE-2026-32236 GHSA-qp4c-xg64-7c6x	Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.	0.27.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-g3nc-3rdj-akh2
Aliases:
CVE-2026-32235
GHSA-wqvh-63mv-9w92

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.

0.27.1
Affected by 0 other vulnerabilities.

VCID-k15p-db8h-sqbz
Aliases:
CVE-2026-32236
GHSA-qp4c-xg64-7c6x

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

0.27.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:25:05.916691+00:00	GitLab Importer	Affected by	VCID-g3nc-3rdj-akh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-auth-backend/CVE-2026-32235.yml	38.6.0
2026-06-12T21:23:10.226689+00:00	GitLab Importer	Affected by	VCID-k15p-db8h-sqbz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-auth-backend/CVE-2026-32236.yml	38.6.0

2026-06-12T21:25:05.916691+00:00

GitLab Importer

Affected by

VCID-g3nc-3rdj-akh2

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-auth-backend/CVE-2026-32235.yml

38.6.0

2026-06-12T21:23:10.226689+00:00

GitLab Importer

Affected by

VCID-k15p-db8h-sqbz

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-auth-backend/CVE-2026-32236.yml

38.6.0

Next non-vulnerable version	0.27.1
Latest non-vulnerable version	0.27.1
Risk