CVE-2026-50184

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

An Information Exposure vulnerability (CVE-2026-50184) has been identified in Angular's Service Worker, which causes explicitly configured request credential and cache safety parameters to be stripped during request reconstruction and can lead to credential exposure and the persistence of private data in the browser cache.

Per MITRE CWE-200: An Exposure of Sensitive Information vulnerability means that the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Per MITRE CWE-524: A Use of Cache Containing Sensitive Information vulnerability means that the code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

This issue affects multiple versions of Angular.

‍

Details

Module Info

• Product: Angular
• Affected packages: @angular/service-worker
• Affected versions:
  • <=18.2.14
  • >=19.0.0-next.0 <19.2.23
  • >=20.0.0-next.0 <20.3.22
  • >=21.0.0-next.0 <21.2.15
  • >=22.0.0-next.0 <22.0.0-rc.2
• GitHub repository: https://github.com/angular/angular
• Published packages: https://www.npmjs.com/package/@angular/service-worker
• Package manager: npm
• Fixed in:
  • OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2

Vulnerability Info

This Medium-severity vulnerability is found in the @angular/service-worker package in multiple published versions of Angular.

When the Angular Service Worker intercepts a network request for an asset it matches, it reconstructs a new Request object using an internal helper function. During this reconstruction, the helper does not preserve the safety parameters the client explicitly set on the original request. The credentials configuration (such as credentials: 'omit') and the HTTP cache mode (such as cache: 'no-store') are dropped and revert to the browser defaults of credentials: 'same-origin' and the default cache behavior.

As a result, the browser attaches active credentials such as cookies and Authorization headers to outbound requests that the developer explicitly configured to omit them, which can leak the user's session to endpoints that were never meant to receive it. In addition, resources the developer marked as non-cacheable are stored by the service worker, so private responses can remain readable in the local cache, including after the user logs out.

This vulnerability affects any web application that registers the @angular/service-worker package when client-side code relies on fetch calls with explicit safety attributes such as { credentials: 'omit' } or { cache: 'no-store' } against paths matched by a service worker asset group. Exploitation can lead to:

• Credential exposure: Cookies and Authorization headers are attached to requests that were configured to omit them, leaking the active session to unintended endpoints.
• Sensitive data persistence in cache: Responses marked non-cacheable are stored by the service worker, leaving private data readable in local cache storage.
• Incomplete logout: Because those responses persist in cache, private session state can survive a logout that is expected to clear it.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a patched version of Angular.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.