Vulnerability Directory | CVE-2026-50169

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

An Information Exposure vulnerability (CVE-2026-50169) has been identified in Angular's Service Worker, which causes an explicitly configured request redirect policy to be stripped during request reconstruction and can lead to the service worker following redirects to authenticated endpoints and leaking session-restricted data.

Per MITRE CWE-200: An Exposure of Sensitive Information vulnerability means that the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Per MITRE CWE-441: An Unintended Proxy or Intermediary vulnerability means that the product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

This issue affects multiple versions of Angular.

‍

Details

Module Info

Product: Angular
Affected packages: @angular/service-worker
Affected versions:
- <=18.2.14
- >=19.0.0-next.0 <19.2.23
- >=20.0.0-next.0 <20.3.22
- >=21.0.0-next.0 <21.2.15
- >=22.0.0-next.0 <22.0.0-rc.2
GitHub repository: https://github.com/angular/angular
Published packages: https://www.npmjs.com/package/@angular/service-worker
Package manager: npm
Fixed in:
- OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2

Vulnerability Info

This Medium-severity vulnerability is found in the @angular/service-worker package in multiple published versions of Angular.

When the Angular Service Worker intercepts a network request for an asset it matches, it reconstructs a new Request object using an internal helper function. During this reconstruction, the helper does not preserve the redirect policy the client explicitly set on the original request. A strict setting such as redirect: 'error' is dropped and reverts to the browser default of redirect: 'follow'.

As a result, when the application makes a request with a strict redirect policy, expecting a network error rather than an automatic redirect, the service worker instead follows HTTP 3xx redirects to their destination. The service worker thereby acts as an unintended proxy, or confused deputy. If a public route matched by an asset group redirects to a sensitive same-origin endpoint, the browser transparently follows the redirect and returns data from credential-guarded resources that the strict policy was meant to block at the network boundary.

This vulnerability affects any web application that registers the @angular/service-worker package when client-side code makes safe fetch calls such as { redirect: 'error' } to paths matched by a service worker asset group that can return HTTP redirects to authenticated same-origin endpoints. Exploitation can lead to:

Credential exposure: Cookies and authorization headers follow the redirect to endpoints the strict policy was meant to block.
Session-restricted data leakage: Responses from authenticated same-origin routes are returned to client code that should have received a network error instead.
Unintended proxying (confused deputy): The service worker follows redirects on the application's behalf, effectively relaying requests into protected routes.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations: