Redirect URI Allowlist Bypass in Backstage OIDC Provider by Spotify
CVE-2026-32235

5.9MEDIUM

Key Information:

Vendor: @backstage
Status: Plugin-auth-backend
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-32235?

A flaw exists in the experimental OpenID Connect (OIDC) provider of Backstage, specifically in versions prior to 0.27.1. This issue arises when Dynamic Client Registration or Client ID Metadata Documents are enabled, allowing an attacker to bypass the configured allowed redirect URI patterns. By crafting a malicious redirect URI that passes validation, an adversary can potentially lead a victim into approving an OAuth consent request. If successful, the victim's authorization code is sent to the attacker, who can then exchange it for a valid access token, thereby compromising sensitive user information. This vulnerability emphasizes the need for careful configuration of allowedRedirectUriPatterns and remains an issue until fixed in version 0.27.1.

Affected Version(s)

plugin-auth-backend < 0.27.1

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32235 Data

JSON

@backstage

What is CVE-2026-32235?

Affected Version(s)

References

CVSS V3.1

Timeline