CVE-2026-50169
Analyzed Analyzed - Analysis Complete

Request Policy Bypass in Angular Service Worker

Vulnerability report for CVE-2026-50169, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
angular angular to 18.2.14 (inc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.23 (exc)
angular angular From 20.0.0 (inc) to 20.3.22 (exc)
angular angular From 21.0.0 (inc) to 21.2.15 (exc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50169 is a moderate-severity vulnerability in the Angular Service Worker package (@angular/service-worker) that causes the service worker to ignore client-defined strict redirect policies during request reconstruction.

When the Angular Service Worker intercepts network requests for matched assets, it rebuilds a new Request object but unintentionally strips out strict redirect policies like `redirect: 'error'`. Instead, it defaults to the browser's 'follow' redirect strategy.

This means that if a web application expects a network error on redirects, the service worker will instead follow the redirect automatically, acting as an unintended proxy or 'Confused Deputy'.

This behavior can lead to exposure of sensitive information such as cookies, credentials, or session-restricted data if public dynamic routes redirect to sensitive routes.

Impact Analysis

This vulnerability can impact you by exposing sensitive data such as cookies, credentials, or session-restricted information due to unintended automatic following of HTTP 3xx redirects.

If your web application uses strict client-side redirect policies to prevent automatic redirects and protect sensitive routes, this vulnerability bypasses those protections.

An attacker could exploit this by causing the Angular Service Worker to act as a proxy, potentially leaking sensitive session data when public routes redirect to authenticated or sensitive endpoints.

Exploitation requires an active Angular Service Worker, a matching asset group, same-origin redirection to sensitive routes, an authenticated user session, and client-side fetch calls with strict redirect policies.

Detection Guidance

Detection of this vulnerability involves verifying if your system is running a vulnerable version of the Angular Service Worker package (@angular/service-worker) and if the service worker is actively intercepting network requests with strict redirect policies.

You can check the installed version of @angular/service-worker in your project by running the following command in your project directory:

  • npm list @angular/service-worker

To detect if the service worker is intercepting requests and potentially bypassing redirect policies, you can monitor network traffic in your browser's developer tools or use command-line tools like curl with strict redirect policies to test the behavior.

For example, using curl to test redirect behavior with the 'error' redirect policy (note: curl does not support redirect policies like browsers, but you can observe redirect behavior):

  • curl -I -L --max-redirs 0 https://your-angular-app.example.com/path

Additionally, you can inspect the service worker's fetch event handling in your application to verify if redirect policies are preserved or stripped during request reconstruction.

Mitigation Strategies

Immediate mitigation steps include upgrading the @angular/service-worker package to a patched version where this vulnerability is fixed.

  • Upgrade to one of the fixed versions: 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 or later.

If upgrading immediately is not possible, apply temporary mitigations such as:

  • Avoid public-to-private dynamic redirection in your application routes.
  • Apply strict cookie configurations to limit exposure.
  • Exclude secure or sensitive endpoints from service worker interception by adjusting the service worker configuration.
Compliance Impact

This vulnerability in the Angular Service Worker can lead to unintended proxy behavior that exposes sensitive information such as cookies or session-restricted data. Such exposure could potentially result in unauthorized access to personal or protected data.

Exposure of sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and health-related data confidentiality and integrity.

Specifically, if an application using the vulnerable Angular Service Worker handles personal or sensitive data, this flaw could lead to data leakage through automatic following of redirects that bypass client-defined strict redirect policies.

Therefore, organizations relying on Angular Service Worker versions prior to the patched releases should consider this vulnerability a risk to maintaining compliance with standards that mandate protection against unauthorized data exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50169. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart