chore: Update dependency @backstage/plugin-auth-backend to v0.27.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-auth-backend (source)	0.27.0 → 0.27.1

GitHub Vulnerability Alerts

CVE-2026-32235

Impact

The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected.

A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.

This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

Patches

Upgrade to @backstage/plugin-auth-backend version 0.27.1 or later.

Workarounds

Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.

References

• RFC 6749 Section 3.1.2 - Redirection Endpoint

CVE-2026-32236

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.

The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

Patches

Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.

Workarounds

Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration.
Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.

References

• IETF Client ID Metadata Document draft
• MCP Authorization Specification - Client ID Metadata Documents

---

Release Notes

backstage/backstage (@​backstage/plugin-auth-backend)

v0.27.1

Compare Source

Patch Changes

• d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/plugin-auth-node@​0.6.14-next.2
  • @​backstage/plugin-catalog-node@​2.1.0-next.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.