CVE-2026-46417
Analyzed Analyzed - Analysis Complete

Server-Side Request Forgery in Angular Platform Server

Vulnerability report for CVE-2026-46417, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
angular angular to 18.2.14 (inc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.22 (exc)
angular angular From 20.0.0 (inc) to 20.3.21 (exc)
angular angular From 21.0.0 (inc) to 21.2.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This Server-Side Request Forgery (SSRF) vulnerability in Angular's @angular/platform-server can lead to exposure of internal APIs or metadata services by redirecting requests to attacker-controlled servers. Such exposure of internal data could potentially result in unauthorized access to sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the confidentiality impact of this vulnerability is high, which implies a risk of data breaches or unauthorized data disclosure. This could affect compliance with regulations that require protection of personal or sensitive data.

Mitigating this vulnerability by applying patches or implementing strict URL validation is important to maintain compliance with data protection standards that mandate safeguarding against unauthorized access and data leaks.

Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in the @angular/platform-server package used for server-side rendering (SSR) in Angular applications. It occurs when the SSR engine processes an absolute-form URL (such as http://evil.com) passed to rendering entry points. An attacker can manipulate the internal ServerPlatformLocation to adopt the attacker's domain as the current hostname. This causes any relative HttpClient requests or hostname references to be redirected to the attacker-controlled server.

As a result, internal APIs or metadata services that should be protected may be exposed to the attacker. The vulnerability affects versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22 and is classified under CWE-918 (Server-Side Request Forgery).

Impact Analysis

This vulnerability can have a high impact on the confidentiality of your system. An attacker can redirect internal requests to their own server, potentially gaining access to sensitive internal APIs or metadata services that are not intended to be exposed externally.

The attack requires no privileges or user interaction and can be executed remotely over the network. While the primary impact is on confidentiality, integrity and availability are not significantly affected.

Detection Guidance

This vulnerability involves the server-side rendering (SSR) engine in Angular processing absolute-form URLs that can manipulate the internal ServerPlatformLocation hostname. Detection involves checking if your Angular platform-server versions are vulnerable and if your server-side rendering code accepts unvalidated absolute URLs.

To detect exploitation attempts on your system or network, monitor server logs for requests containing absolute URLs passed to SSR rendering entry points, especially those with suspicious or external hostnames.

There are no specific commands provided in the resources to detect this vulnerability directly. However, you can:

  • Check the version of @angular/platform-server in your project to see if it is within the vulnerable range (versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22).
  • Review server logs for SSR requests that include absolute URLs, especially those pointing to external or attacker-controlled domains.
  • Implement logging or monitoring on the server-side rendering entry points to detect if absolute-form URLs are being passed without validation.

Since no explicit detection commands are provided, it is recommended to audit your SSR code and logs manually or with custom scripts to identify suspicious URL usage.

Mitigation Strategies

To mitigate this SSRF vulnerability in @angular/platform-server, you should upgrade to a patched version of Angular where the issue is fixed. The fixed versions are 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

If immediate upgrading is not possible, implement strict URL validation in your server-side rendering entry points. Ensure that any absolute-form URLs passed to the rendering functions are validated against a trusted allowlist of hostnames before processing.

Use the new `allowedHosts` option introduced in the `PlatformConfig` to validate incoming request hostnames. This option enforces hostname validation during platform initialization and prevents unauthorized hostnames from being used in SSR.

  • Upgrade @angular/platform-server to one of the patched versions: 22.0.0-next.12, 21.2.13, 20.3.21, or 19.2.22.
  • Implement strict hostname allowlist validation in your SSR entry points to reject untrusted absolute URLs.
  • Use the `allowedHosts` configuration option in `PlatformConfig` to enforce hostname validation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart