fix(deps): update dependency @backstage/plugin-auth-backend to v0.27.1 [security]

[backstage-goalie]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-auth-backend (source)	^0.26.0 → ^0.27.0
@backstage/plugin-auth-backend (source)	^0.25.2 → ^0.27.0
@backstage/plugin-auth-backend (source)	0.27.0 → 0.27.1
@backstage/plugin-auth-backend (source)	^0.25.3 → ^0.27.0
@backstage/plugin-auth-backend (source)	^0.25.5 → ^0.27.0
@backstage/plugin-auth-backend (source)	^0.25.1 → ^0.27.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

@​backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

CVE-2026-32236 / GHSA-qp4c-xg64-7c6x

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.

The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

Patches

Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.

Workarounds

Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration.
Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.

References

• IETF Client ID Metadata Document draft
• MCP Authorization Specification - Client ID Metadata Documents

Severity

• CVSS Score: 0.0 / 10 (None)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x
• https://nvd.nist.gov/vuln/detail/CVE-2026-32236
• https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

CVE-2026-32235 / GHSA-wqvh-63mv-9w92

More information

Details

Impact

The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected.

A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.

This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

Patches

Upgrade to @backstage/plugin-auth-backend version 0.27.1 or later.

Workarounds

Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.

References

• RFC 6749 Section 3.1.2 - Redirection Endpoint

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

References

• https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92
• https://nvd.nist.gov/vuln/detail/CVE-2026-32235
• https://github.com/backstage/backstage/commit/6042dd0c7f0706e0f473dafa92799ecf19c825ec
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-auth-backend)

v0.27.1

Compare Source

Patch Changes

• d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/plugin-auth-node@​0.6.14-next.2
  • @​backstage/plugin-catalog-node@​2.1.0-next.2

v0.27.0

Compare Source

Minor Changes

• 31de2c9: Added experimental support for Client ID Metadata Documents (CIMD).

  This allows Backstage to act as an OAuth 2.0 authorization server that supports the IETF Client ID Metadata Document draft. External OAuth clients can use HTTPS URLs as their client_id, and Backstage will fetch metadata from those URLs to validate the client.

  Configuration example:

  auth:
    experimentalClientIdMetadataDocuments:
      enabled: true
      # Optional: restrict which `client_id` URLs are allowed (defaults to ['*'])
      allowedClientIdPatterns:
        - 'https://example.com/*'
        - 'https://*.trusted-domain.com/*'
      # Optional: restrict which redirect URIs are allowed (defaults to ['*'])
      allowedRedirectUriPatterns:
        - 'http://localhost:*'
        - 'https://*.example.com/*'

  Clients using CIMD must host a JSON metadata document at their client_id URL containing at minimum:

  {
    "client_id": "https://example.com/.well-known/oauth-client/my-app",
    "client_name": "My Application",
    "redirect_uris": ["http://localhost:8080/callback"],
    "token_endpoint_auth_method": "none"
  }

• d0786b9: Added experimental support for refresh tokens via the auth.experimentalRefreshToken.enabled configuration option. When enabled, clients can request the offline_access scope to receive refresh tokens that can be used to obtain new access tokens without re-authentication.

Patch Changes

• 7dc3dfe: Removed the auth.experimentalDynamicClientRegistration.tokenExpiration config option. DCR tokens now use the default 1 hour expiration.

  If you need longer-lived access, use refresh tokens via the offline_access scope instead. DCR clients should already have the offline_access scope available. Enable refresh tokens by setting:

  auth:
    experimentalRefreshToken:
      enabled: true

• 7455dae: Use node prefix on native imports

• Updated dependencies

  • @​backstage/plugin-catalog-node@​2.0.0
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/plugin-auth-node@​0.6.13

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/3scale/packages/backend	none	v0.0.1
@backstage-community/plugin-azure-sites-backend	workspaces/azure-sites/plugins/azure-sites-backend	patch	v0.15.0
@backstage-community/plugin-feedback-backend	workspaces/feedback/plugins/feedback-backend	patch	v2.1.6
@backstage-community/backstage-plugin-mta-backend	workspaces/mta/plugins/mta-backend	patch	v0.5.2
@backstage-community/plugin-report-portal-backend	workspaces/report-portal/plugins/report-portal-backend	patch	v1.1.2
@backstage-community/plugin-rollbar-backend	workspaces/rollbar/plugins/rollbar-backend	patch	v0.10.0