CVE-2026-50184
Undergoing Analysis Undergoing Analysis - In Progress
Angular Service Worker Credential Exposure Vulnerability

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-50184
EUVD
EUVD-2026-38296
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
angular service-worker to 22.0.0-rc.2 (exc)
angular service-worker to 22.0.0-rc.2 (inc)
angular service-worker 19.2.23
angular service-worker 20.3.22
angular service-worker 21.2.15
angular service-worker 22.0.0-rc.2
angular service-worker From 18.2.14 (inc) to 22.0.0-rc.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves verifying if the Angular Service Worker is intercepting requests and incorrectly reconstructing them by stripping explicit client-defined safety parameters such as credentials and cache mode.

You can monitor network requests to check if requests that should omit credentials (e.g., credentials: 'omit') are instead sent with credentials included (e.g., cookies or Authorization headers).

Suggested commands include using browser developer tools or command-line tools like curl or wget to inspect request headers and cache behavior.

  • Use browser developer tools (Network tab) to inspect outgoing requests and verify if credentials are included when they should be omitted.
  • Run curl commands with explicit credentials options and observe if the service worker modifies the request, for example: curl --cookie-jar /dev/null --header 'Authorization:' <URL>
  • Check the service worker cache storage in the browser to see if private or non-cacheable resources are being cached unexpectedly.
Mitigation Strategies

Immediate mitigation steps include updating the Angular Service Worker package to a patched version where this vulnerability is fixed.

The vulnerability is fixed in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

If immediate upgrade is not possible, temporary mitigations include:

  • Configure strict cookie settings to limit exposure of credentials.
  • Exclude secure or sensitive endpoints from being cached by the service worker.
  • Programmatically clear the service worker's cache on user logout to prevent persistence of private data.
Executive Summary

CVE-2026-50184 is a vulnerability in the Angular Service Worker package that occurs when the service worker intercepts network requests for matched assets and reconstructs a new Request object. During this reconstruction, explicit client-defined safety parameters such as the credentials configuration (e.g., credentials: 'omit') and HTTP cache mode (e.g., cache: 'no-store') are stripped and reverted to default browser settings (credentials: 'same-origin' and default cache).

This causes the browser to include active credentials like cookies or Authorization headers in requests where the developer explicitly intended to omit them, potentially leading to session leaks. Additionally, private or non-cacheable resources may be cached by the service worker, making private page states accessible or persistent in the client’s local cache even after logout.

Impact Analysis

This vulnerability can lead to unintended exposure of sensitive information. Because credentials such as cookies or Authorization headers are included in requests where they should be omitted, attackers could potentially hijack user sessions or access protected resources.

Furthermore, private or non-cacheable resources might be cached by the service worker, causing sensitive data like private page states, medical records, or bank statements to persist in the client’s local cache after logout. This could allow unauthorized access to private information, especially on shared or public computers.

Compliance Impact

This vulnerability in the Angular Service Worker package can lead to unintended inclusion of credentials (such as cookies or Authorization headers) in network requests and caching of private or non-cacheable resources. Such behavior risks session leaks and persistence of sensitive user data after logout.

These issues could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict control over personal and sensitive information to prevent unauthorized access or exposure.

Specifically, accidental caching of sensitive information (e.g., medical records or bank statements) on shared computers or exposure of session credentials could violate confidentiality and data minimization principles mandated by these regulations.

Mitigations such as applying patches, enforcing strict cookie settings, excluding secure endpoints from service worker caching, and clearing caches on logout are important to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart