CVE-2026-32235

{"id": "CVE-2026-32235", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.6}]}, "published": "2026-03-12T19:16:17.443", "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrolladores. Antes de la versi\u00f3n 0.27.1, el proveedor OIDC experimental en @backstage/plugin-auth-backend es vulnerable a un bypass de la lista de permitidos de URI de redirecci\u00f3n. Las instancias que han habilitado el Registro Din\u00e1mico de Clientes experimental o los Documentos de Metadatos de ID de Cliente y han configurado allowedRedirectUriPatterns se ven afectadas. Una URI de redirecci\u00f3n especialmente dise\u00f1ada puede pasar la validaci\u00f3n de la lista de permitidos mientras se resuelve a un host controlado por el atacante. Si una v\u00edctima aprueba la solicitud de consentimiento de OAuth resultante, su c\u00f3digo de autorizaci\u00f3n se env\u00eda al atacante, quien puede intercambiarlo por un token de acceso v\u00e1lido. Esto requiere la interacci\u00f3n de la v\u00edctima y que una de las caracter\u00edsticas experimentales est\u00e9 expl\u00edcitamente habilitada, lo cual no es el valor predeterminado. Esta vulnerabilidad se corrige en la versi\u00f3n 0.27.1."}], "lastModified": "2026-03-19T20:55:22.143", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF2B3D86-9F1F-492C-A156-5DF20A14460C", "versionEndIncluding": "0.27.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}