{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "0.27.0" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "750ca1cce7f29d63e1ceaf8e269f8ec6ceb58f9c" } ], "repo": "https://github.com/backstage/backstage", "type": "GIT" } ] } ], "aliases": [ "GHSA-wqvh-63mv-9w92" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-601" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32235.json" }, "details": "Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.", "id": "CVE-2026-32235", "modified": "2026-04-01T23:10:10.416505477Z", "published": "2026-03-12T18:35:06.325Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32235.json" }, { "type": "ADVISORY", "url": "https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32235" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "type": "CVSS_V3" } ], "summary": "@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass" }