Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
References
| Link | Resource |
|---|---|
| https://github.com/angular/angular/pull/68904 | Issue Tracking Patch |
| https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 19:31
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| First Time |
Angularjs
Angularjs angularjs |
|
| References | () https://github.com/angular/angular/pull/68904 - Issue Tracking, Patch | |
| References | () https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv - Third Party Advisory | |
| CPE | cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:* |
22 Jun 2026, 18:21
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 18:16
Updated : 2026-06-26 19:31
NVD link : CVE-2026-50184
Mitre link : CVE-2026-50184
CVE.ORG link : CVE-2026-50184
JSON object : View
Products Affected
angularjs
- angularjs
