CVE-2026-32236
Published: 12 March 2026
Summary
CVE-2026-32236 is a low-severity SSRF (CWE-918) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 1.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32236 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the @backstage/plugin-auth-backend component of Backstage, an open framework for building developer portals. The issue exists in versions prior to 0.27.1 when the experimental configuration auth.experimentalClientIdMetadataDocuments.enabled is set to true. During Client ID Metadata Document (CIMD) metadata fetches, the plugin validates the initial client_id hostname against private IP ranges but fails to apply the same checks after HTTP redirects, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any network-accessible attacker can exploit this vulnerability without authentication or user interaction by triggering a CIMD metadata fetch with a malicious client_id that redirects to internal resources. While the attacker cannot read the response body of the internal request, cannot control request headers or method, and the feature requires explicit enabling via an off-by-default experimental flag, successful exploitation enables the server to connect to unintended internal endpoints, potentially leading to high confidentiality impacts such as network reconnaissance.
The vulnerability is patched in @backstage/plugin-auth-backend version 0.27.1, as detailed in the GitHub security advisory GHSA-qp4c-xg64-7c6x and the fixing commit 17038abf2dfdb4abc08a59b1c95af39851de0e07. Deployments that restrict allowedClientIdPatterns to specific trusted domains are unaffected, providing a key mitigation for those not yet upgraded.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11673
Vulnerability details
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges…
more
but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vuln in public-facing Backstage auth plugin directly matches T1190 exploitation; limited internal endpoint probing enables network service discovery (T1046) for reconnaissance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF vulnerability by requiring timely application of the patch in @backstage/plugin-auth-backend version 0.27.1 that validates client_id hostnames after HTTP redirects.
Prevents exploitation by enforcing secure baseline configurations that disable the experimental auth.experimentalClientIdMetadataDocuments.enabled flag or restrict allowedClientIdPatterns to trusted domains.
Addresses the root cause by validating client_id inputs and subsequent HTTP redirects to block access to private IP ranges and internal resources.