CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*

History

26 Jun 2026, 19:31

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
First Time Angularjs
Angularjs angularjs
References () https://github.com/angular/angular/pull/68904 - () https://github.com/angular/angular/pull/68904 - Issue Tracking, Patch
References () https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv - () https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv - Third Party Advisory
CPE cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*

22 Jun 2026, 18:21

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 18:16

Updated : 2026-06-26 19:31


NVD link : CVE-2026-50184

Mitre link : CVE-2026-50184

CVE.ORG link : CVE-2026-50184


JSON object : View

Products Affected

angularjs

  • angularjs
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-524

Use of Cache Containing Sensitive Information