Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HttpTransferCache feature in @angular/common is intended to cache HTTP requests made during server‑side rendering and transfer the cached state to the client via TransferState. Because the caching logic does not examine the withCredentials flag or Cookie header, responses that contain user‑specific credentials can be cached by default. When those responses are included in the HTML generated for SSR, any caching layer such as a CDN, reverse‑proxy, or shared server cache may store the page and later serve it to other users, thereby leaking private data. This flaw satisfies CWE‑524, specifically an improper handling of session‑based information.

Affected Systems

Angular developers using versions of @angular/common older than 22.0.0‑rc.2, 21.2.15, 20.3.22, or 19.2.23 are impacted. The problem manifests only when Server‑Side Rendering and hydration are enabled.

Risk and Exploitability

The CVSS score of 8.2 labels the flaw as high‑severity. No EPSS score is available and the vulnerability is not listed in CISA KEV, yet the potential for accidental data leakage remains significant. The likely attack vector involves a CDN or proxy that caches the SSR page; an attacker who can read the cached content can gain access to another user’s confidential information. Exploitation requires that the application renders SSR pages with transfer state containing credentialed responses, which is the normal operation of Angular SSR.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all @angular/common packages to v22.0.0‑rc.2 or newer versions (21.2.15, 20.3.22, or 19.2.23 as appropriate).
  • If an upgrade is not immediately possible, configure the application to avoid caching credential‑enabled requests by disabling the withCredentials flag or removing Cookie headers from requests that may become part of the transfer state.
  • Ensure that any CDN, reverse‑proxy, or shared server cache that serves SSR pages is configured to not cache pages that contain TransferState data, or only cache pages that are rendered statelessly.

Generated by OpenCVE AI on June 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6f4-qqrg-jv6x @angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
Weaknesses CWE-524
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T16:01:17.572Z

Reserved: 2026-06-03T20:54:20.433Z

Link: CVE-2026-50170

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-524

    Use of Cache Containing Sensitive Information