Path Traversal Vulnerability in Angular SSR by Angular
CVE-2026-44437

6.9MEDIUM

Key Information:

Vendor: Angular
Status: Angular-cli
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44437?

A vulnerability exists in the header processing logic of Angular SSR (Server-Side Rendering) for specific versions. This issue arises from inadequate validation of the X-Forwarded-Prefix header, which fails to properly handle URL-encoded characters such as dots (%2e%2e). This flaw allows attackers to exploit the system by injecting encoded path traversal sequences. If an Angular SSR application trusts proxy headers and is deployed behind a proxy that forwards this unfiltered header, attackers can craft malicious payloads (e.g., /%2e%2e/evil) to bypass security measures. The vulnerability is effectively mitigated in versions 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.

Affected Version(s)

angular-cli >= 22.0.0-next.0, < 22.0.0-next.7 < 22.0.0-next.0, 22.0.0-next.7

angular-cli >= 21.0.0-next.0, < 21.2.9 < 21.0.0-next.0, 21.2.9

angular-cli >= 20.0.0-next.0, < 20.3.25 < 20.0.0-next.0, 20.3.25

References

https://github.com/angular/angular-cli/security/advisorie...

x_refsource_CONFIRM

https://github.com/angular/angular-cli/pull/33031

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44437 Data

JSON