CVE-2026-44437 Overview
CVE-2026-44437 is a path traversal vulnerability [CWE-22] in Angular Server-Side Rendering (SSR). The flaw exists in the X-Forwarded-Prefix header processing logic. The internal validation routine fails to account for URL-encoded characters, specifically the encoded dot sequence %2e%2e. Attackers can inject encoded traversal sequences that bypass security filters and are subsequently decoded by application logic. The vulnerability affects Angular SSR versions from 19.0.0-next.0 up to (but not including) 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7. Exploitation requires the application to trust proxy headers and operate behind a proxy that forwards X-Forwarded-Prefix without sanitization.
Critical Impact
Remote attackers can bypass path-based security filters using URL-encoded traversal sequences, enabling redirection or path manipulation in trusted Angular SSR deployments.
Affected Products
- Angular SSR 19.0.0-next.0 through versions prior to 19.2.25
- Angular SSR 20.x versions prior to 20.3.25
- Angular SSR 21.x versions prior to 21.2.9 and 22.0.0-next.x prior to 22.0.0-next.7
Discovery Timeline
- 2026-05-13 - CVE-2026-44437 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44437
Vulnerability Analysis
The vulnerability resides in Angular SSR's request preprocessing logic for the X-Forwarded-Prefix header. This header communicates a URL prefix added by an upstream proxy, allowing the SSR runtime to construct correct base URLs for rendered responses. Angular SSR validates the header value to reject traversal characters such as ... However, the validation operates on the raw header string before URL decoding. Attackers can submit the encoded equivalent %2e%2e, which passes the filter and is later decoded into .. when used by downstream routing or URL-construction logic.
Root Cause
The root cause is incomplete input canonicalization. Validation logic compares against the literal ASCII representation of traversal sequences, while the decoded form is later consumed by application logic. This mismatch between validation context and consumption context allows attacker-controlled traversal payloads to slip through the filter unchanged.
Attack Vector
The attack is exploitable over the network without authentication or user interaction. An attacker sends an HTTP request containing an X-Forwarded-Prefix header with a payload such as /%2e%2e/evil. The Angular SSR application must be configured to trust proxy headers, and the fronting proxy must forward the header verbatim without sanitization. Once accepted, the decoded value influences URL generation, redirects, or path-based access decisions within the rendered application, producing low-impact integrity and confidentiality effects on the SSR component and adjacent systems.
No verified public exploit code is available. Refer to the GitHub Security Advisory for further technical detail.
Detection Methods for CVE-2026-44437
Indicators of Compromise
- HTTP request logs containing X-Forwarded-Prefix header values with URL-encoded dot sequences such as %2e%2e, %2E%2E, or mixed-case variants.
- Application logs showing decoded .. segments in base-URL or prefix variables during SSR rendering.
- Anomalous redirect responses where the Location header includes attacker-controlled prefixes.
Detection Strategies
- Inspect reverse proxy and load balancer access logs for inbound X-Forwarded-Prefix headers containing percent-encoded characters.
- Correlate SSR error or warning events with requests carrying non-standard prefix values.
- Deploy WAF signatures that decode header values before applying traversal-pattern matching.
Monitoring Recommendations
- Alert on any X-Forwarded-Prefix header originating from untrusted upstream sources or external clients.
- Track Angular SSR process versions across fleet inventory to confirm patched releases are deployed.
- Monitor outbound redirects and rendered HTML for unexpected base-href values that deviate from the application's known prefixes.
How to Mitigate CVE-2026-44437
Immediate Actions Required
- Upgrade Angular SSR to 19.2.25, 20.3.25, 21.2.9, or 22.0.0-next.7 depending on the deployed release line.
- Audit proxy configurations to confirm whether X-Forwarded-Prefix is trusted, and disable trust where the upstream proxy does not sanitize the header.
- Review recent access logs for encoded traversal sequences in the affected header.
Patch Information
The Angular team fixed the vulnerability in releases 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7. The patch normalizes header input prior to validation, ensuring URL-encoded traversal sequences are rejected. See the GitHub Pull Request for the code change and the GitHub Security Advisory for vendor guidance.
Workarounds
- Strip or overwrite the X-Forwarded-Prefix header at the edge proxy before requests reach Angular SSR.
- Configure the upstream proxy to URL-decode and validate header values, rejecting any containing .. after decoding.
- Disable proxy header trust in the SSR configuration if the prefix functionality is not required.
# Example NGINX configuration to strip the header at the edge
location / {
proxy_set_header X-Forwarded-Prefix "";
proxy_pass http://angular_ssr_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
