{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32236", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.683Z", "datePublished": "2026-03-12T18:37:11.330Z", "dateUpdated": "2026-04-15T20:46:50.517Z"}, "containers": {"cna": {"title": "@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"}, {"name": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"}], "affected": [{"vendor": "@backstage", "product": "plugin-auth-backend", "versions": [{"version": "< 0.27.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T20:46:50.517Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD\nmetadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1."}], "source": {"advisory": "GHSA-qp4c-xg64-7c6x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:38:12.992484Z", "id": "CVE-2026-32236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:46:40.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32236", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:38:12.992484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:38:13.637Z"}}], "cna": {"title": "@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch", "source": {"advisory": "GHSA-qp4c-xg64-7c6x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "@backstage", "product": "plugin-auth-backend", "versions": [{"status": "affected", "version": "< 0.27.1"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07", "name": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD\nmetadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T20:46:50.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32236", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:46:50.517Z", "dateReserved": "2026-03-11T14:47:05.683Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:37:11.330Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF2B3D86-9F1F-492C-A156-5DF20A14460C", "versionEndIncluding": "0.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD\nmetadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrollador. Antes de 0.27.1, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en @backstage/plugin-auth-backend cuando auth.experimentalClientIdMetadataDocuments.enabled est\u00e1 configurado como true. La obtenci\u00f3n de metadatos CIMD valida el nombre de host client_id inicial contra rangos de IP privados, pero no aplica la misma validaci\u00f3n despu\u00e9s de las redirecciones HTTP. El impacto pr\u00e1ctico es limitado. El atacante no puede leer el cuerpo de la respuesta de la petici\u00f3n interna, no puede controlar las cabeceras o el m\u00e9todo de la petici\u00f3n, y la caracter\u00edstica debe habilitarse expl\u00edcitamente mediante una bandera experimental que est\u00e1 desactivada por defecto. Las implementaciones que restringen allowedClientIdPatterns a dominios de confianza espec\u00edficos no se ven afectadas. Parcheado en la versi\u00f3n 0.27.1 de @backstage/plugin-auth-backend."}], "id": "CVE-2026-32236", "lastModified": "2026-04-15T21:17:26.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T19:16:18.867", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "@backstage/plugin-auth-backend: @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch", "id": "2447090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447090"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A server side request forgery flaw has been discovered in the npm @backstage/plugin-auth-backend package. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32236", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-12T18:37:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32236\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32236\nhttps://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07\nhttps://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.27.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "plugin-auth-backend", "source": "cna", "vendor": "@backstage"}, "product": "plugin-auth-backend", "vendor": "backstage"}], "analysis": {"en": {"generated_at": "2026-04-16T02:46:35.052087+00:00", "value": {"mitigation_remediation": ["Upgrade to @backstage/plugin\u2011auth\u2011backend version 0.27.1 or later", "Disable the auth.experimentalClientIdMetadataDocuments.enabled flag if the experimental feature is not needed", "Configure allowedClientIdPatterns to limit client_id URLs to trusted domains"], "summary": {"action": "Patch", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "All deployments of the @backstage/plugin\u2011auth\u2011backend component earlier than version 0.27.1 are vulnerable. The plugin is part of the Backstage open\u2011source developer portal framework. If the application disables the experimental feature flag or restricts allowedClientIdPatterns to trusted domains, the vulnerability does not apply.", "description_and_impact": "The vulnerability allows an attacker to force the Backstage application to make an outgoing HTTP request to a supplied client_id URL. Because the initial host name is validated against private IP ranges but the validation is not reapplied after HTTP redirects, a carefully crafted target can induce the server to reach internal resources. However, the attacker cannot read the response body, control request headers or the HTTP method, and the feature that triggers the fetch must be explicitly enabled via the experimental flag. Thus the practical impact is limited to probing internal network addresses that the application can reach. The weakness is a classic Server\u2011Side Request Forgery (CWE\u2011918).", "risk_and_exploitability": "The vulnerability scores a CVSS of 1.7, indicating a low severity, and has a low EPSS (<1%). It is not listed in the CISA KEV catalog, implying a low likelihood of exploitation. An attacker would need the ability to modify the application configuration to enable the experimental flag and supply a target URL that redirects to an internal host. Because the exploit cannot retrieve sensitive data from the internal request, the overall risk remains low, but a patch is recommended to eliminate the possibility of internal network probing."}}}}, "created": "2026-03-13T09:50:18.218789+00:00", "updated": "2026-04-16T03:00:09.178268+00:00", "vendors": ["backstage", "backstage$PRODUCT$plugin-auth-backend"]}