fix(deps): update dependency @backstage/plugin-auth-backend to v0.27.1 [security] by renovate[bot] · Pull Request #4404 · redhat-developer/rhdh

renovate · 2026-03-13T07:05:36Z

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-auth-backend (source)	`0.27.0` → `0.27.1`

GitHub Vulnerability Alerts

CVE-2026-32235

Impact

The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected.

A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.

This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

Patches

Upgrade to @backstage/plugin-auth-backend version 0.27.1 or later.

Workarounds

Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.

References

RFC 6749 Section 3.1.2 - Redirection Endpoint

Release Notes

backstage/backstage (@backstage/plugin-auth-backend)

`v0.27.1`

Compare Source

Patch Changes

d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
Updated dependencies
- @backstage/backend-plugin-api@1.8.0-next.1
- @backstage/plugin-auth-node@0.6.14-next.2
- @backstage/plugin-catalog-node@2.1.0-next.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

openshift-ci · 2026-03-13T07:05:49Z

Hi @renovate[bot]. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

github-actions · 2026-03-13T07:46:41Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-13T21:47:24Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-16T04:46:19Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-16T11:27:38Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-16T17:49:41Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-17T17:46:55Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-18T06:19:06Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-18T16:04:34Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-18T19:48:04Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-19T12:53:18Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-20T13:29:53Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-23T16:12:08Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-23T20:46:17Z

The container image build workflow finished with status: cancelled.

github-actions · 2026-03-23T21:26:57Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-23T22:30:44Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-24T11:47:58Z

Image was built and published successfully. It is available at:

github-actions · 2026-03-24T16:53:41Z

The container image build workflow finished with status: failure.

github-actions · 2026-03-25T10:19:42Z

The container image build workflow finished with status: failure.

github-actions · 2026-03-25T17:08:02Z

Image was built and published successfully. It is available at:

…1 [security] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

sonarqubecloud · 2026-03-25T18:23:59Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2026-03-25T18:24:26Z

The container image build workflow finished with status: cancelled.

github-actions · 2026-03-25T19:04:22Z

Image was built and published successfully. It is available at:

kim-tsao

/lgtm

kim-tsao · 2026-03-25T20:00:50Z

/ok-to-test

renovate bot added kind/dependency upgrade kind/security labels Mar 13, 2026

renovate bot requested a review from a team March 13, 2026 07:05

openshift-ci bot requested review from jonkoops and rm3l March 13, 2026 07:05

openshift-ci bot added the needs-ok-to-test label Mar 13, 2026

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 57e76b1 to 7ee1c25 Compare March 13, 2026 21:08

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 7ee1c25 to dac1c4d Compare March 16, 2026 04:07

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from dac1c4d to de50017 Compare March 16, 2026 10:51

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from de50017 to 9f1fd2a Compare March 16, 2026 17:08

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 9f1fd2a to d9d516a Compare March 17, 2026 17:03

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from d9d516a to 9a947af Compare March 18, 2026 05:38

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 9a947af to 88452e6 Compare March 18, 2026 15:23

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 88452e6 to 0b223f9 Compare March 18, 2026 19:04

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 0b223f9 to 0422f21 Compare March 19, 2026 12:17

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 0422f21 to ac2854a Compare March 20, 2026 12:49

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from ac2854a to 1797a14 Compare March 20, 2026 22:50

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from bbf1b78 to af068f1 Compare March 23, 2026 15:30

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch 2 times, most recently from 4a9256b to 27d7078 Compare March 23, 2026 20:46

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 27d7078 to d6b80d7 Compare March 23, 2026 21:51

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from d6b80d7 to 9317a2e Compare March 24, 2026 11:07

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 9317a2e to 6d3c64a Compare March 24, 2026 16:52

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 6d3c64a to 099ea61 Compare March 25, 2026 10:18

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 099ea61 to 83bc0dd Compare March 25, 2026 16:28

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 83bc0dd to 695cf63 Compare March 25, 2026 18:18

fix(deps): update dependency @backstage/plugin-auth-backend to v0.27.…

fd114f5

…1 [security] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate bot force-pushed the renovate/npm-backstage-plugin-auth-backend-vulnerability branch from 695cf63 to fd114f5 Compare March 25, 2026 18:23

kim-tsao approved these changes Mar 25, 2026

View reviewed changes

openshift-ci bot assigned kim-tsao Mar 25, 2026

openshift-ci bot added the lgtm label Mar 25, 2026

openshift-ci bot added ok-to-test and removed needs-ok-to-test labels Mar 25, 2026

openshift-merge-bot bot merged commit c527638 into main Mar 25, 2026
17 of 18 checks passed

openshift-merge-bot bot deleted the renovate/npm-backstage-plugin-auth-backend-vulnerability branch March 25, 2026 20:02

Conversation

renovate bot commented Mar 13, 2026

GitHub Vulnerability Alerts

CVE-2026-32235

Impact

Patches

Workarounds

References

Release Notes

v0.27.1

Patch Changes

Configuration

Uh oh!

openshift-ci bot commented Mar 13, 2026

Uh oh!

github-actions bot commented Mar 13, 2026

Uh oh!

github-actions bot commented Mar 13, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 16, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 18, 2026

Uh oh!

github-actions bot commented Mar 18, 2026

Uh oh!

github-actions bot commented Mar 18, 2026

Uh oh!

github-actions bot commented Mar 19, 2026

Uh oh!

github-actions bot commented Mar 20, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

github-actions bot commented Mar 24, 2026

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

sonarqubecloud bot commented Mar 25, 2026

Quality Gate passed

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

github-actions bot commented Mar 25, 2026

Uh oh!

kim-tsao left a comment

Choose a reason for hiding this comment

Uh oh!

kim-tsao commented Mar 25, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`v0.27.1`