CVE-2026-50184
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
A vulnerability in the @angular/service-worker package strips explicit security parameters (credentials and cache mode) during request reconstruction by the Angular Service Worker. This causes the browser to include active credentials where they should be omitted and caches private resources locally, leading to potential session leaks and persistent private data.
Risk Assessment
The organization risks session leakage and persistent caching of private page states in the browser's local cache, which could allow unauthorized access to sensitive information after logout.
Recommendation
Immediately update the @angular/service-worker package to version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 depending on your Angular branch.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

