Open Redirect Vulnerability in Angular SSR Affecting Multiple Versions
CVE-2026-33397

6.9MEDIUM

Key Information:

Vendor

Angular

Status
Angular-cli
Vendor
CVE Published:
26 March 2026

What is CVE-2026-33397?

The Angular SSR tool is subject to an Open Redirect vulnerability that arises from an incomplete fix of a previous issue. This flaw allows for manipulation of the X-Forwarded-Prefix header by attackers, enabling them to deliver a backslash, which the internal validation fails to recognize as invalid. Consequently, this creates the potential for an attacker to redirect users to malicious domains through a protocol-relative URL. Moreover, the absence of the Vary: X-Forwarded-Prefix header facilitates web cache poisoning, making this issue critical for web applications relying on Angular SSR. Developers are advised to implement appropriate sanitization for incoming headers to mitigate the risks posed by this vulnerability.

Affected Version(s)

angular-cli >= 22.0.0-next.0, < 22.0.0-next.2 < 22.0.0-next.0, 22.0.0-next.2

angular-cli >= 21.0.0-next.0, < 21.2.3 < 21.0.0-next.0, 21.2.3

angular-cli >= 20.0.0-next.0, < 20.3.21 < 20.0.0-next.0, 20.3.21

References

https://github.com/angular/angular-cli/security/advisorie...
x_refsource_CONFIRM
https://github.com/angular/angular-cli/pull/32771
x_refsource_MISC
https://github.com/advisories/GHSA-xh43-g2fq-wjrj
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.