{"id":"CVE-2026-32235","summary":"@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass","details":"Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.","aliases":["GHSA-wqvh-63mv-9w92"],"modified":"2026-04-10T05:42:20.177173Z","published":"2026-03-12T18:35:06.325Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32235.json","cwe_ids":["CWE-601"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32235.json"},{"type":"ADVISORY","url":"https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32235"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"last_affected":"750ca1cce7f29d63e1ceaf8e269f8ec6ceb58f9c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.27.0"}]}}],"versions":["cli-old-cache-watch","hackweek-demo","release-2021-01-07","release-2021-01-08","release-2021-01-09","release-2021-01-14","release-2021-01-14.1","release-2021-01-18","release-2021-01-20","release-2021-01-21","release-2021-01-21.1","release-2021-01-28","release-2021-01-29","release-2021-02-01","release-2021-02-03","release-2021-02-05","release-2021-02-11","release-2021-02-16","release-2021-02-18","release-2021-02-23","release-2021-03-04","release-2021-03-09","release-2021-03-11","release-2021-03-11.1","release-2021-03-16","release-2021-03-17","release-2021-03-18","release-2021-03-19","release-2021-03-25","release-2021-03-31","release-2021-03-31.1","release-2021-04-08","release-2021-04-13","release-2021-04-15","release-2021-04-21","release-2021-04-22","release-2021-04-22.1","release-2021-04-29","release-2021-05-04","release-2021-05-06","release-2021-05-10","release-2021-05-11","release-2021-05-12","release-2021-05-12.1","release-2021-05-17","release-2021-05-20","release-2021-1-7","v0.1.0","v0.1.1","v0.1.1-alpha.0","v0.1.1-alpha.1","v0.1.1-alpha.10","v0.1.1-alpha.11","v0.1.1-alpha.12","v0.1.1-alpha.13","v0.1.1-alpha.15","v0.1.1-alpha.16","v0.1.1-alpha.17","v0.1.1-alpha.18","v0.1.1-alpha.19","v0.1.1-alpha.2","v0.1.1-alpha.20","v0.1.1-alpha.21","v0.1.1-alpha.22","v0.1.1-alpha.23","v0.1.1-alpha.24","v0.1.1-alpha.25","v0.1.1-alpha.26","v0.1.1-alpha.3","v0.1.1-alpha.4","v0.1.1-alpha.5","v0.1.1-alpha.6","v0.1.1-alpha.7","v0.1.1-alpha.8","v0.10.0","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.13.0","v0.13.1","v0.14.0","v0.15.0","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.18.0","v0.18.1","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.22.0","v0.22.1","v0.22.2","v0.23.0","v0.24.0","v0.24.1","v0.25.0","v0.25.1","v0.25.2","v0.25.3","v0.26.0","v0.26.1","v0.27.0","v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.8.1","v0.8.2","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32235.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}