CVE-2026-32236 is a low-severity SSRF vulnerability in the @backstage/plugin-auth-backend component of Backstage, an open framework for developer portals. When the experimental flag auth.experimentalClientIdMetadataDocuments.enabled is set to true, the plugin performs client_id metadata fetches that validate the initial hostname against private IP ranges but fail to apply this validation after HTTP redirects. This allows an attacker to cause the server to make unintended requests to internal resources. The vulnerability is limited in impact because the attacker cannot read the response body, control request headers or HTTP methods, and the feature is disabled by default. Additionally, deployments that restrict allowedClientIdPatterns to trusted domains are not vulnerable. The vulnerability is patched in version 0.27.1 of the plugin-auth-backend.

The SSRF vulnerability could allow an unauthenticated attacker to induce the server to make HTTP requests to internal or otherwise restricted network resources following redirects, potentially exposing internal network topology or causing side effects on internal services. However, the attacker cannot read response bodies or control request headers or methods, which limits the practical impact. The feature must be explicitly enabled via an experimental flag, which is off by default, further reducing exposure. Deployments restricting allowedClientIdPatterns to trusted domains are not affected.

Upgrade @backstage/plugin-auth-backend to version 0.27.1 or later, where this SSRF vulnerability is fixed. If upgrading is not immediately possible, ensure that the experimental flag auth.experimentalClientIdMetadataDocuments.enabled remains disabled (default off) and restrict allowedClientIdPatterns to trusted domains to prevent exposure. Patch status is confirmed by the vendor advisory indicating the fix in version 0.27.1.