Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-32235

Опубликовано: 12 мар. 2026
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Developer Hubrhdh/rhdh-hub-rhel9Fix deferred
Self-service automation portal 2ansible-automation-platform/automation-portalFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-601
https://bugzilla.redhat.com/show_bug.cgi?id=2447075@backstage/plugin-auth-backend: @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

EPSS

Процентиль: 9%
0.00033
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-32235

CVSS3: 5.9
nvd
14 дней назад

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default. This vulnerability is fixed in 0.27.1.

github логотип

GHSA-wqvh-63mv-9w92

CVSS3: 5.9
github
15 дней назад

@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

EPSS

Процентиль: 9%
0.00033
Низкий

5.9 Medium

CVSS3