CVE-2026-32235 Overview
Backstage is an open framework for building developer portals. A redirect URI allowlist bypass vulnerability exists in the experimental OIDC provider of @backstage/plugin-auth-backend prior to version 0.27.1. This vulnerability allows attackers to craft malicious redirect URIs that pass allowlist validation while actually resolving to attacker-controlled hosts. When a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can then exchange it for a valid access token.
Critical Impact
Authorization code theft via redirect URI manipulation can lead to unauthorized access to user accounts and sensitive data within Backstage deployments that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents with configured allowedRedirectUriPatterns.
Affected Products
- Backstage @backstage/plugin-auth-backend versions prior to 0.27.1
- Backstage instances with experimental Dynamic Client Registration enabled
- Backstage instances with Client ID Metadata Documents and configured allowedRedirectUriPatterns
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32235 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32235
Vulnerability Analysis
This vulnerability falls under CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The experimental OIDC provider in Backstage's authentication backend contains a flaw in how it validates redirect URIs against configured allowlist patterns. A specially crafted redirect URI can successfully pass the allowedRedirectUriPatterns validation checks while ultimately resolving to an attacker-controlled host.
The attack requires victim interaction, as the user must approve an OAuth consent request. Additionally, one of the experimental features (Dynamic Client Registration or Client ID Metadata Documents) must be explicitly enabled by the administrator—these are not enabled by default. Despite these prerequisites, successful exploitation results in the theft of OAuth authorization codes, which can be exchanged for valid access tokens granting the attacker authenticated access.
Root Cause
The root cause lies in improper validation logic within the redirect URI allowlist checking mechanism. The pattern matching implementation fails to properly account for certain URI parsing edge cases, allowing attackers to construct URIs that satisfy the allowlist pattern check but redirect to unintended destinations when processed by browsers or OAuth flows.
Attack Vector
The attack is network-based and requires user interaction. An attacker must:
- Craft a malicious redirect URI that exploits the validation bypass
- Send the victim a link initiating an OAuth flow with the malicious redirect
- Wait for the victim to approve the OAuth consent request
- Capture the authorization code sent to the attacker-controlled host
- Exchange the captured code for a valid access token
The vulnerability requires low attacker privileges but exploits the victim's authenticated session. The attack can result in high confidentiality impact through token theft and low integrity impact by potentially allowing unauthorized actions on behalf of the victim.
Detection Methods for CVE-2026-32235
Indicators of Compromise
- Unusual OAuth redirect URIs in authentication logs that contain encoding tricks or suspicious path components
- Authorization codes being issued to redirect URIs that don't match expected legitimate endpoints
- OAuth callback requests originating from unexpected external hosts
- User reports of unexpected OAuth consent prompts from Backstage
Detection Strategies
- Monitor authentication backend logs for redirect URI patterns that contain URL encoding, path traversal sequences, or unusual characters
- Implement alerting for OAuth authorization flows where the final redirect destination differs from the validated pattern
- Review audit logs for access token exchanges occurring from unexpected IP ranges or geographic locations
- Enable verbose logging on the OIDC provider to capture full redirect URI validation details
Monitoring Recommendations
- Configure SIEM rules to detect anomalous OAuth flow patterns in Backstage authentication logs
- Monitor for increased failed authorization attempts which may indicate reconnaissance
- Track user session activities following OAuth authentication for signs of account takeover
- Implement alerting for new or modified allowedRedirectUriPatterns configurations
How to Mitigate CVE-2026-32235
Immediate Actions Required
- Upgrade @backstage/plugin-auth-backend to version 0.27.1 or later immediately
- If upgrade is not immediately possible, consider temporarily disabling experimental Dynamic Client Registration and Client ID Metadata Documents features
- Audit existing allowedRedirectUriPatterns configurations for overly permissive patterns
- Review authentication logs for any signs of exploitation prior to patching
Patch Information
The vulnerability is fixed in @backstage/plugin-auth-backend version 0.27.1. Organizations should update their Backstage deployment to this version or later. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-wqvh-63mv-9w92.
Workarounds
- Disable experimental OIDC features (Dynamic Client Registration and Client ID Metadata Documents) if not strictly required
- Implement strict, explicit redirect URI patterns rather than using wildcards or broad regex patterns
- Add network-level controls to restrict OAuth callback destinations to known legitimate hosts
- Consider implementing additional redirect URI validation at the reverse proxy or WAF layer
# Verify current Backstage auth plugin version
npm list @backstage/plugin-auth-backend
# Update to patched version
npm update @backstage/plugin-auth-backend@0.27.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
