Server-Side Request Forgery Flaw in Angular's Platform Server
CVE-2026-41423

8.7HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41423?

A Server-Side Request Forgery (SSRF) vulnerability in Angular's platform server was identified, which arose from improper handling of URLs during Server-Side Rendering (SSR). In versions prior to 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, attackers could exploit this flaw by crafting a malicious HTTP request that misleads the server into treating an external domain as a local origin. By doing so, the application could unintentionally redirect internal API calls or metadata services to the attacker's server, thereby exposing sensitive information. This vulnerability has been addressed in the specified updated versions.

Affected Version(s)

angular < 19.2.21 < 19.2.21

angular >= 20.0.0-next.0, < 20.3.19 < 20.0.0-next.0, 20.3.19

angular >= 21.0.0-next.0, < 21.2.9 < 21.0.0-next.0, 21.2.9

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/68194
x_refsource_MISC
https://github.com/angular/angular/commit/ede7c58a2aa13fd...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.