CVE-2026-46417
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
In Angular versions prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The SSR engine can be manipulated by passing an absolute-form URL (e.g., http://evil.com), allowing an attacker to control the hostname and redirect HttpClient requests to an external server.
Risk Assessment
An attacker can exploit this vulnerability to make requests to internal APIs or metadata services, leading to exposure of sensitive data or unauthorized access to organizational network resources.
Recommendation
Immediately update Angular to version 22.0.0-next.12, 21.2.13, 20.3.21, or 19.2.22 depending on the branch in use. Additionally, restrict access to SSR rendering entry points to trusted sources only.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

