Backstage Auth Backend Plugin Exposed: Critical OIDC Redirect Bypass Vulnerability (CVE-2026-32235)

A critical security flaw in Backstage's authentication backend has been exposed, posing a direct threat to any organization using the platform's experimental OIDC provider. The vulnerability, tracked as CVE-2026-32235, allows for a bypass of the redirect URI allowlist—a fundamental security control designed to prevent authorization code interception and account takeover. This is not a theoretical risk; it is a live, exploitable weakness in a core component of the popular CNCF-backed developer portal.

The vulnerability resides specifically within the `@backstage/plugin-auth-backend` module. The flaw enables an attacker to circumvent the configured list of approved redirect URIs. In practice, this could allow a malicious actor to redirect a user's authorization code to a domain they control after a successful login, potentially leading to full session compromise. The issue is present in versions prior to the patched releases, prompting an urgent dependency update to version 0.27.0 or later.

The immediate pressure is on development and platform engineering teams to assess their deployment's exposure. Any Backstage instance that has enabled the experimental OIDC provider is at risk until the patch is applied. This advisory underscores the persistent security challenges in complex, modular authentication systems and the critical importance of timely dependency management for foundational internal developer tools. The fix is now available, but the window for exploitation remains open for unpatched systems.