View all Vulnerabilities

CVE-2026-46417

Server-Side Request Forgery
Affects
Angular
in
Angular
No items found.
Versions
<=18.2.14, >=19.0.0-next.0 <19.2.22, >=20.0.0-next.0 <20.3.21, >=21.0.0-next.0 <21.2.13, >=22.0.0-next.0 <22.0.0-next.12
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-46417) has been identified in Angular's Platform Server, which allows attackers to manipulate URL handling during Server-Side Rendering (SSR) and can lead to unauthorized server-side requests to attacker-controlled or internal resources.

Per OWASP: In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

This issue affects multiple versions of Angular.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the @angular/platform-server package in multiple published versions of Angular.

In typical SSR setups, the server passes the incoming request URL directly to the rendering APIs renderModule or renderApplication. When an absolute-form URL (e.g., http://evil.com) is provided as the request URL, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. This hijacking can occur silently, effectively allowing the attacker to influence server-side network behavior.

As a result, any relative HttpClient requests or PlatformLocation.hostname references made during SSR can be redirected to the attacker-controlled server, potentially exposing internal APIs or metadata services.

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a patched version of Angular.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2021-4231
CVE-2025-59052
CVE-2025-66035
CVE-2025-66412
CVE-2026-22610
CVE-2026-27739
CVE-2026-27970
CVE-2026-32635
CVE-2026-41423
CVE-2026-46417
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-46417
PROJECT Affected
Angular
Versions Affected
<=18.2.14, >=19.0.0-next.0 <19.2.22, >=20.0.0-next.0 <20.3.21, >=21.0.0-next.0 <21.2.13, >=22.0.0-next.0 <22.0.0-next.12
NES Versions Affected
Published date
May 27, 2026
≈ Fix date
May 13, 2026
Fixed in
NES for Angular
Category
Server-Side Request Forgery
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Angular
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.