CVE Catalog

CVE-2026-50170

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed user-specific responses to be cached in the shared TransferState. This can leak private data across users via caching layers like CDN or reverse proxy.

Risk Assessment

The organization risks exposure of sensitive user data, as private HTTP responses with credentials may be cached and served to other users. An attacker could exploit this to steal session data or other confidential information.

Recommendation

Upgrade Angular to version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 immediately. If upgrade is not possible, temporarily disable SSR or hydration for sensitive applications.

Original NVD description (English source)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS