CVE-2026-27739 (GCVE-0-2026-27739)
Vulnerability from cvelistv5
Published
2026-02-25 16:47
Modified
2026-02-27 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| angular | angular-cli |
Version: >= 21.2.0-next.2, < 21.2.0-rc.0 Version: >= 21.0.0-next.0, < 21.1.5 Version: >= 20.0.0-next.0, < 20.3.17 Version: < 19.2.21 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:59:01.966307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:59:11.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular-cli",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0, \u003c 21.1.5"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0, \u003c 20.3.17"
},
{
"status": "affected",
"version": "\u003c 19.2.21"
}
]
},
{
"product": "@nguniversal/common",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
},
{
"product": "@nguniversal/express-engine",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003c= 16.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain. Specifically, the framework didn\u0027t have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:47:29.705Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
},
{
"name": "https://github.com/angular/angular-cli/pull/32516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular-cli/pull/32516"
},
{
"name": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf",
"tags": [
"x_refsource_MISC"
],
"url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
}
],
"source": {
"advisory": "GHSA-x288-3778-4hhx",
"discovery": "UNKNOWN"
},
"title": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27739",
"datePublished": "2026-02-25T16:47:29.705Z",
"dateReserved": "2026-02-23T18:37:14.790Z",
"dateUpdated": "2026-02-27T17:59:11.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27739\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T17:59:01.966307Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T17:59:08.064Z\"}}], \"cna\": {\"title\": \"Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline\", \"source\": {\"advisory\": \"GHSA-x288-3778-4hhx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"angular\", \"product\": \"angular-cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 21.2.0-next.2, \u003c 21.2.0-rc.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0-next.0, \u003c 21.1.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0-next.0, \u003c 20.3.17\"}, {\"status\": \"affected\", \"version\": \"\u003c 19.2.21\"}]}, {\"vendor\": \"angular\", \"product\": \"@nguniversal/common\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 16.2.0\"}]}, {\"vendor\": \"angular\", \"product\": \"@nguniversal/express-engine\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 16.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx\", \"name\": \"https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/angular/angular-cli/pull/32516\", \"name\": \"https://github.com/angular/angular-cli/pull/32516\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf\", \"name\": \"https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular\\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain. Specifically, the framework didn\u0027t have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T16:47:29.705Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27739\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T17:59:11.328Z\", \"dateReserved\": \"2026-02-23T18:37:14.790Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T16:47:29.705Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…