Cyber Resilience

CVE-2026-32236

Low

Published: 12 March 2026

Published
12 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.9th percentile
Risk Priority 3 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32236 is a low-severity SSRF (CWE-918) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 1.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32236 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the @backstage/plugin-auth-backend component of Backstage, an open framework for building developer portals. The issue exists in versions prior to 0.27.1 when the experimental configuration auth.experimentalClientIdMetadataDocuments.enabled is set to true. During Client ID Metadata Document (CIMD) metadata fetches, the plugin validates the initial client_id hostname against private IP ranges but fails to apply the same checks after HTTP redirects, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any network-accessible attacker can exploit this vulnerability without authentication or user interaction by triggering a CIMD metadata fetch with a malicious client_id that redirects to internal resources. While the attacker cannot read the response body of the internal request, cannot control request headers or method, and the feature requires explicit enabling via an off-by-default experimental flag, successful exploitation enables the server to connect to unintended internal endpoints, potentially leading to high confidentiality impacts such as network reconnaissance.

The vulnerability is patched in @backstage/plugin-auth-backend version 0.27.1, as detailed in the GitHub security advisory GHSA-qp4c-xg64-7c6x and the fixing commit 17038abf2dfdb4abc08a59b1c95af39851de0e07. Deployments that restrict allowedClientIdPatterns to specific trusted domains are unaffected, providing a key mitigation for those not yet upgraded.

EU & UK References

Vulnerability details

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges…

more

but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF vuln in public-facing Backstage auth plugin directly matches T1190 exploitation; limited internal endpoint probing enables network service discovery (T1046) for reconnaissance.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25153Same product: Linuxfoundation Backstage
CVE-2025-61916Same vendor: Linuxfoundation
CVE-2024-13924Shared CWE-918
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-33701Same vendor: Linuxfoundation
CVE-2026-5418Shared CWE-918
CVE-2024-24421Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
backstage
≤ 0.27.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF vulnerability by requiring timely application of the patch in @backstage/plugin-auth-backend version 0.27.1 that validates client_id hostnames after HTTP redirects.

prevent

Prevents exploitation by enforcing secure baseline configurations that disable the experimental auth.experimentalClientIdMetadataDocuments.enabled flag or restrict allowedClientIdPatterns to trusted domains.

prevent

Addresses the root cause by validating client_id inputs and subsequent HTTP redirects to block access to private IP ranges and internal resources.

References