CVE-2026-50184
Analyzed Analyzed - Analysis Complete

Angular Service Worker Credential Exposure Vulnerability

Vulnerability report for CVE-2026-50184, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
angular angular to 18.2.14 (inc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.23 (exc)
angular angular From 20.0.0 (inc) to 20.3.22 (exc)
angular angular From 21.0.0 (inc) to 21.2.15 (exc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50184 is a vulnerability in the Angular Service Worker package that occurs when the service worker intercepts network requests for matched assets and reconstructs a new Request object. During this reconstruction, explicit client-defined safety parameters such as the credentials configuration (e.g., credentials: 'omit') and HTTP cache mode (e.g., cache: 'no-store') are stripped and reverted to default browser settings (credentials: 'same-origin' and default cache).

This causes the browser to include active credentials like cookies or Authorization headers in requests where the developer explicitly intended to omit them, potentially leading to session leaks. Additionally, private or non-cacheable resources may be cached by the service worker, making private page states accessible or persistent in the client’s local cache even after logout.

Detection Guidance

Detection of this vulnerability involves verifying if the Angular Service Worker is intercepting requests and incorrectly reconstructing them by stripping explicit client-defined safety parameters such as credentials and cache mode.

You can monitor network requests to check if requests that should omit credentials (e.g., credentials: 'omit') are instead sent with credentials included (e.g., cookies or Authorization headers).

Suggested commands include using browser developer tools or command-line tools like curl or wget to inspect request headers and cache behavior.

  • Use browser developer tools (Network tab) to inspect outgoing requests and verify if credentials are included when they should be omitted.
  • Run curl commands with explicit credentials options and observe if the service worker modifies the request, for example: curl --cookie-jar /dev/null --header 'Authorization:' <URL>
  • Check the service worker cache storage in the browser to see if private or non-cacheable resources are being cached unexpectedly.
Mitigation Strategies

Immediate mitigation steps include updating the Angular Service Worker package to a patched version where this vulnerability is fixed.

The vulnerability is fixed in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

If immediate upgrade is not possible, temporary mitigations include:

  • Configure strict cookie settings to limit exposure of credentials.
  • Exclude secure or sensitive endpoints from being cached by the service worker.
  • Programmatically clear the service worker's cache on user logout to prevent persistence of private data.
Compliance Impact

This vulnerability in the Angular Service Worker package can lead to unintended inclusion of credentials (such as cookies or Authorization headers) in network requests and caching of private or non-cacheable resources. Such behavior risks session leaks and persistence of sensitive user data after logout.

These issues could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict control over personal and sensitive information to prevent unauthorized access or exposure.

Specifically, accidental caching of sensitive information (e.g., medical records or bank statements) on shared computers or exposure of session credentials could violate confidentiality and data minimization principles mandated by these regulations.

Mitigations such as applying patches, enforcing strict cookie settings, excluding secure endpoints from service worker caching, and clearing caches on logout are important to maintain compliance.

Impact Analysis

This vulnerability can lead to unintended exposure of sensitive information. Because credentials such as cookies or Authorization headers are included in requests where they should be omitted, attackers could potentially hijack user sessions or access protected resources.

Furthermore, private or non-cacheable resources might be cached by the service worker, causing sensitive data like private page states, medical records, or bank statements to persist in the client’s local cache after logout. This could allow unauthorized access to private information, especially on shared or public computers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart