Server-Side Request Forgery Vulnerability in Angular Platform Server
CVE-2026-46417

8.8HIGH

Key Information:

Vendor: Angular
Status: Angular
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-46417?

A Server-Side Request Forgery (SSRF) vulnerability was identified in the Angular platform server prior to specified versions. The flaw arises from the server-side rendering engine's handling of absolute-form URLs. When an attacker supplies a malicious URL to the rendering process, they can manipulate the server's request handling to redirect internal HTTP requests to a domain they control. This may lead to unauthorized access to sensitive internal APIs or metadata, putting the application and its data at risk. This issue has been resolved in later versions.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-next.12 < 22.0.0-next.0, 22.0.0-next.12

angular >= 21.0.0-next.0, < 21.2.13 < 21.0.0-next.0, 21.2.13

angular >= 20.0.0-next.0, < 20.3.21 < 20.0.0-next.0, 20.3.21

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/angular/angular/pull/68570

x_refsource_MISC

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46417 Data

JSON