Server-side Request Forgery (SSRF) Affecting @backstage/plugin-auth-backend package, versions >=0.27.0 <0.27.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-BACKSTAGEPLUGINAUTHBACKEND-15479717
- published12 Mar 2026
- disclosed12 Mar 2026
- creditUnknown
Introduced: 12 Mar 2026
NewCVE-2026-32236 (opens in a new tab)How to fix?
Upgrade @backstage/plugin-auth-backend to version 0.27.1 or higher.
Overview
@backstage/plugin-auth-backend is an A Backstage backend plugin that handles authentication
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the CIMD metadata fetch when the auth.experimentalClientIdMetadataDocuments.enabled setting is enabled. An attacker can cause the server to make requests to unintended internal resources by leveraging HTTP redirects after the initial hostname validation. This is only exploitable if the experimental feature is explicitly enabled and allowedClientIdPatterns is not restricted to trusted domains.
Note:
The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default.