CVE-2026-32236
Published: 12 March 2026
Summary
CVE-2026-32236 is a high-severity SSRF (CWE-918) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vuln in public-facing Backstage auth plugin directly matches T1190 exploitation; limited internal endpoint probing enables network service discovery (T1046) for reconnaissance.
NVD Description
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges…
more
but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.
Deeper analysisAI
CVE-2026-32236 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the @backstage/plugin-auth-backend component of Backstage, an open framework for building developer portals. The issue exists in versions prior to 0.27.1 when the experimental configuration auth.experimentalClientIdMetadataDocuments.enabled is set to true. During Client ID Metadata Document (CIMD) metadata fetches, the plugin validates the initial client_id hostname against private IP ranges but fails to apply the same checks after HTTP redirects, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any network-accessible attacker can exploit this vulnerability without authentication or user interaction by triggering a CIMD metadata fetch with a malicious client_id that redirects to internal resources. While the attacker cannot read the response body of the internal request, cannot control request headers or method, and the feature requires explicit enabling via an off-by-default experimental flag, successful exploitation enables the server to connect to unintended internal endpoints, potentially leading to high confidentiality impacts such as network reconnaissance.
The vulnerability is patched in @backstage/plugin-auth-backend version 0.27.1, as detailed in the GitHub security advisory GHSA-qp4c-xg64-7c6x and the fixing commit 17038abf2dfdb4abc08a59b1c95af39851de0e07. Deployments that restrict allowedClientIdPatterns to specific trusted domains are unaffected, providing a key mitigation for those not yet upgraded.
Details
- CWE(s)