CVE-2026-32236

{"id": "CVE-2026-32236", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T19:16:18.867", "references": [{"url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD\nmetadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrollador. Antes de 0.27.1, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en @backstage/plugin-auth-backend cuando auth.experimentalClientIdMetadataDocuments.enabled est\u00e1 configurado como true. La obtenci\u00f3n de metadatos CIMD valida el nombre de host client_id inicial contra rangos de IP privados, pero no aplica la misma validaci\u00f3n despu\u00e9s de las redirecciones HTTP. El impacto pr\u00e1ctico es limitado. El atacante no puede leer el cuerpo de la respuesta de la petici\u00f3n interna, no puede controlar las cabeceras o el m\u00e9todo de la petici\u00f3n, y la caracter\u00edstica debe habilitarse expl\u00edcitamente mediante una bandera experimental que est\u00e1 desactivada por defecto. Las implementaciones que restringen allowedClientIdPatterns a dominios de confianza espec\u00edficos no se ven afectadas. Parcheado en la versi\u00f3n 0.27.1 de @backstage/plugin-auth-backend."}], "lastModified": "2026-04-15T21:17:26.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF2B3D86-9F1F-492C-A156-5DF20A14460C", "versionEndIncluding": "0.27.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}