Open Redirect Vulnerability in Angular SSR Affects Multiple versions
CVE-2026-27738

6.9MEDIUM

Key Information:

Vendor

Angular

Status
Angular-cli
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27738?

An Open Redirect vulnerability exists in the internal URL processing logic of Angular SSR, a server-side rendering tool. This issue arises from improper handling of URL segments, where only a single leading slash is stripped. If an Angular SSR application is deployed behind a proxy that forwards the X-Forwarded-Prefix header unsanitized, an attacker can exploit this flaw by injecting a URL that starts with three slashes. This vulnerability can lead to phishing attacks and SEO hijacking risks, particularly if the application has routes that allow internal redirects. To mitigate this risk, it is essential for developers to sanitize the X-Forwarded-Prefix header in the server.ts file before processing requests with Angular SSR.

Affected Version(s)

angular-cli >= 21.2.0-next.2, < 21.2.0-rc.0 < 21.2.0-next.2, 21.2.0-rc.0

angular-cli >= 21.0.0-next.0, < 21.1.5 < 21.0.0-next.0, 21.1.5

angular-cli >= 20.0.0-next.0, < 20.3.17 < 20.0.0-next.0, 20.3.17

References

https://github.com/angular/angular-cli/security/advisorie...
x_refsource_CONFIRM
https://github.com/angular/angular-cli/issues/32501
x_refsource_MISC
https://github.com/angular/angular-cli/pull/32521
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.