Remote Server-Side Request Forgery in Angular's platform-server Package
CVE-2026-50168

8.8HIGH

Key Information:

Vendor: Angular
Status: Angular
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-50168?

A vulnerability in Angular's @angular/platform-server package allows remote attackers to bypass host allowlist constraints, leading to the potential for Server-Side Request Forgery (SSRF) attacks. This occurs due to discrepancies between the strict WHATWG URL parser and the lenient Domino URL parser used in server-side operations. Specifically, malformed URLs containing a double port structure can be accepted by Domino, while being rejected by Node's strict URL parser. Consequently, this enables unauthorized outgoing requests from the server to arbitrary external endpoints, compromising the security of systems utilizing the affected versions of Angular. The issue has been addressed in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-rc.2 < 22.0.0-next.0, 22.0.0-rc.2

angular >= 21.0.0-next.0, < 21.2.15 < 21.0.0-next.0, 21.2.15

angular >= 20.0.0-next.0, < 20.3.22 < 20.0.0-next.0, 20.3.22

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/angular/angular/pull/68928

x_refsource_MISC

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50168 Data

JSON