CVE-2026-54266
Received Received - Intake
Hash Collision in Angular SSR Cache

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54266
EUVD
EUVD-2026-38269
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
angular angular From 19.2.25 (inc) to 22.0.0-next.0 (inc)
angular angular 21.2.17
angular angular 20.3.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Angular to one of the patched versions: 22.0.1, 21.2.17, or 20.3.25, where the weak hash algorithm has been replaced with a cryptographically secure SHA-256 implementation.

If upgrading is not immediately possible, temporary mitigations include disabling transfer caching for sensitive endpoints or disabling transfer caching globally via configuration.

These steps prevent attackers from exploiting hash collisions to poison the TransferState cache during SSR.

Compliance Impact

The vulnerability in Angular's HttpTransferCache allows attackers to cause state poisoning by overwriting cached responses with attacker-controlled data. This can lead to the application running with forged data, potentially bypassing security controls or enabling DOM-based XSS, and may result in information leakage if sensitive data is rendered on the page.

Such unauthorized data manipulation and potential exposure of sensitive information could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and integrity violations.

Mitigations include updating Angular to patched versions that use a cryptographically secure SHA-256 hashing algorithm for cache keys or disabling transfer caching for sensitive endpoints, helping to maintain compliance by preventing data tampering and leakage.

Executive Summary

This vulnerability exists in Angular's HttpTransferCache, which caches HTTP requests during Server-Side Rendering (SSR) to reuse them during client-side hydration. The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash, which has a very small hash space.

Attackers can exploit this by finding query parameter strings that produce the same 32-bit hash as sensitive endpoints. When a victim visits a crafted link with such a parameter, the SSR executes both the attacker-controlled and sensitive requests, causing the attacker-controlled response to overwrite the legitimate one in the cache.

This leads to state poisoning, where the application runs with forged data, potentially bypassing security controls, enabling DOM-based cross-site scripting (XSS), or causing information leakage if sensitive data is rendered on the page.

The vulnerability affects Angular versions from 19.2.25 up to 22.0.0-next.0 and is fixed in versions 22.0.1, 21.2.17, and 20.3.25 by replacing the weak hash with a cryptographically secure SHA-256 algorithm.

Impact Analysis

This vulnerability can impact you by allowing attackers to poison the server-side rendered cache with forged data. This can cause your application to run with incorrect or malicious data.

Such state poisoning can lead to security control bypasses, DOM-based cross-site scripting (XSS) attacks, and leakage of sensitive information if the forged data includes confidential responses.

Because exploitation requires no privileges or user interaction, it poses a high risk to applications using vulnerable Angular versions.

Detection Guidance

Detection of this vulnerability involves identifying if your Angular application is using vulnerable versions of HttpTransferCache that employ the weak 32-bit DJB2-like polynomial rolling hash for caching HTTP requests during Server-Side Rendering (SSR).

You can check the Angular version used in your project to see if it is prior to the patched versions 22.0.1, 21.2.17, or 20.3.25.

Commands to detect the Angular version in your project include:

  • Run `ng version` in your project directory to display the Angular CLI and framework versions.
  • Check the package.json file for the Angular dependencies and their versions using `cat package.json | grep '@angular/core'`.

Additionally, monitoring HTTP requests during SSR for unusual cache key collisions or unexpected overwrites in TransferState could indicate exploitation attempts, but no specific commands for this detection are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart