Description

The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.

INFO

Published Date :

2026-02-25T16:47:29.705Z

Last Modified :

2026-02-27T17:59:11.328Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27739 vulnerability.

Vendors Products
Angular
  • @nguniversal/common
  • @nguniversal/express-engine
  • Angular
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27739.

URL Resource
https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf cve-icon cve-icon
https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF cve-icon cve-icon
https://github.com/angular/angular-cli/pull/32516 cve-icon cve-icon
https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability