CVE-2026-50170

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

An Information Exposure vulnerability (CVE-2026-50170) has been identified in Angular's Common, which caches user-specific server-side responses by default during hydration and can lead to one user's private data leaking to other users through shared HTML caches.

Per MITRE CWE-524: A Use of Cache Containing Sensitive Information vulnerability means that the code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

This issue affects multiple versions of Angular.

‍

Details

Module Info

• Product: Angular
• Affected packages: @angular/common
• Affected versions:
  • <=18.2.14
  • >=19.0.0-next.0 <19.2.23
  • >=20.0.0-next.0 <20.3.22
  • >=21.0.0-next.0 <21.2.15
  • >=22.0.0-next.0 <22.0.0-rc.2
• GitHub repository: https://github.com/angular/angular
• Published packages: https://www.npmjs.com/package/@angular/common
• Package manager: npm
• Fixed in:
  • OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2

Vulnerability Info

This High-severity vulnerability is found in the @angular/common package in multiple published versions of Angular.

When an application uses SSR with hydration, the HttpTransferCache utility caches the HTTP requests made during the server render and transfers that cached state to the client through TransferState, so the browser does not repeat the same requests after hydration. However, the caching mechanism does not inspect the withCredentials flag or the Cookie header on outgoing requests. As a result, credentialed, user-specific responses are cached by default and embedded in the shared TransferState payload that is serialized into the rendered HTML.

If that rendered HTML is then stored by a shared caching layer such as a CDN, reverse proxy, or server-side cache that does not distinguish between authenticated users, the cached page retains one user's private data. Subsequent visitors who receive the cached HTML obtain that user's information, which allows an unauthenticated attacker to read sensitive data belonging to other authenticated users.

This vulnerability affects any Angular application that uses SSR with hydration, performs credentialed HTTP requests during the server render, and serves its HTML through a shared cache that does not vary on the authenticated user. Exploitation can lead to:

• Cross-user information disclosure: Private, user-specific responses captured during one user's server render are served to other users from the shared cache.
• Unauthenticated access to authenticated data: An attacker who simply requests the cached page can read another user's sensitive information without holding any credentials.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a patched version of Angular.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.