CVE-2026-27739
Server-Side Request Forgery in Angular SSR Enables Internal Request Hijacking
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angular | angular_ssr | From 21.0.0-next.0 (inc) to 21.1.5 (exc) |
| angular | angular_ssr | From 20.0.0-next.0 (inc) to 20.3.17 (exc) |
| angular | angular_ssr | From 19.0.0-next.0 (inc) to 19.2.21 (exc) |
| angular | angular_ssr | to 18.2.21 (inc) |
| nguniversal | common | to 16.2.0 (inc) |
| nguniversal | express-engine | to 16.2.0 (inc) |
| angular | angular_ssr | to 21.2.0-rc.1 (exc) |
| angular | angular_ssr | 21.1.5 |
| angular | angular_ssr | 20.3.17 |
| angular | angular_ssr | 19.2.21 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of CVE-2026-27739 involves monitoring and analyzing HTTP requests to your Angular SSR server for suspicious or manipulated Host and X-Forwarded-* headers that could be used to exploit the SSRF vulnerability.'}, {'type': 'paragraph', 'content': 'You can detect attempts to exploit this vulnerability by inspecting incoming HTTP headers for unusual or unauthorized hostnames, non-numeric ports, or unexpected protocols in the X-Forwarded-* headers.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include using network packet capture and HTTP log analysis tools to filter requests with suspicious headers. For example:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP traffic and filter for suspicious Host or X-Forwarded headers: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -iE 'Host:|X-Forwarded-'"}, {'type': 'list_item', 'content': "Using grep on server access logs to find requests with unusual Host or X-Forwarded-* header values: grep -iE 'Host: suspicious-domain|X-Forwarded-Host: suspicious-domain' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, implement logging and monitoring of requests that contain Host or X-Forwarded-* headers with values outside your expected allowlist to identify potential exploitation attempts.'}] [2, 3, 4]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27739 is a Server-Side Request Forgery (SSRF) vulnerability in Angular's Server-Side Rendering (SSR) pipeline. It arises because Angular's internal URL reconstruction logic trusts user-controlled HTTP headersβspecifically Host and the X-Forwarded-* headersβwithout validating them. This allows attackers to manipulate these headers to redirect internal HTTP client requests to arbitrary destinations."}, {'type': 'paragraph', 'content': "The vulnerability manifests in two ways: implicit relative URL resolution, where Angular's HttpClient resolves relative URLs against an attacker-controlled base origin, and explicit manual URL construction, where developers use unvalidated headers to build URLs. This can lead to arbitrary internal request steering."}, {'type': 'paragraph', 'content': 'To be vulnerable, an application must use Angular SSR, perform HttpClient requests with relative URLs or manually construct URLs using unvalidated headers, and be reachable by an attacker who can influence these headers without strict validation by upstream infrastructure.'}, {'type': 'paragraph', 'content': 'Patched versions have introduced strict validation of these headers, including host allowlisting, port numeric checks, and protocol validation to mitigate this risk.'}] [4, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to perform arbitrary internal request redirection from the vulnerable server. This can lead to several serious impacts:
- Credential exfiltration by redirecting sensitive headers such as Authorization tokens or cookies to attacker-controlled servers.
- Internal network probing, enabling attackers to access internal services, databases, or cloud metadata endpoints that are normally inaccessible externally.
- Confidentiality breaches by accessing sensitive server-side information through manipulated requests.
Additionally, attackers can cause denial of service or infer sensitive information by analyzing response behaviors. The vulnerability is remotely exploitable without user interaction and requires low attack complexity.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps for CVE-2026-27739 include upgrading Angular SSR to a patched version and implementing strict validation of HTTP headers used in URL construction.'}, {'type': 'list_item', 'content': 'Upgrade Angular SSR to one of the patched versions: 21.2.0-rc.1, 21.1.5, 20.3.17, or 19.2.21.'}, {'type': 'list_item', 'content': 'Avoid using untrusted HTTP headers such as Host and X-Forwarded-* directly for URL construction. Instead, use trusted variables or absolute URLs for base API paths.'}, {'type': 'list_item', 'content': "Implement middleware in your server (e.g., in server.ts) to enforce validation rules on incoming headers: ensure Host and X-Forwarded-Host are validated against an allowlist of authorized hosts, X-Forwarded-Port is numeric, and X-Forwarded-Proto is either 'http' or 'https'."}, {'type': 'list_item', 'content': 'Reject or log requests with invalid or untrusted header values and consider falling back to Client-Side Rendering (CSR) or returning a 400 Bad Request response for such requests.'}, {'type': 'paragraph', 'content': 'These steps provide a critical defense-in-depth layer to prevent SSRF exploitation until a full upgrade and patching can be completed.'}] [3, 4]