Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The @angular/service-worker package fails to preserve client‑defined request options when it reconstructs a Request object for intercepted assets. Credentials settings such as credentials: 'omit' and cache options like cache: 'no-store' are reset to the browser defaults (credentials: 'same-origin' and the browser default cache). As a result, sensitive headers or cookies may be sent unintentionally and private page data may be cached by the service worker, allowing session secrets to leak or private content to remain cached after logout.

Affected Systems

Angular, specifically the @angular/service-worker package, is affected in all releases older than 22.0.0‑rc.2, 21.2.15, 20.3.22, and 19.2.23. Users running these earlier versions on websites that register a service worker are vulnerable. The issue is fixed in the quoted releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.7, indicating a moderate risk. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector likely requires the user to access a web application that registers a service worker and invokes affected assets; an attacker could observe leaked credentials or cached private data during that interaction.

Generated by OpenCVE AI on June 22, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @angular/service-worker package to 22.0.0-rc.2 or newer, 21.2.15 or newer, 20.3.22 or newer, or 19.2.23 or newer, as these releases contain the fix for the request enforcement issue.
  • If upgrading is not immediately possible, remove or disable the service worker from the application to prevent the request reconstruction from occurring, thereby avoiding the credential and cache policy stripping.
  • After applying the upgrade or disabling the service worker, verify that request options (credentials and cache) are preserved by inspecting network requests in the browser developer tools to ensure no default values are being applied.

Generated by OpenCVE AI on June 22, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95qp-cmmw-mgqv @angular/service-worker: Request Credential & Cache Policy Stripping
History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular: Request Credential & Cache Policy Stripping in Angular Service Worker
Weaknesses CWE-200
CWE-524
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T13:48:24.684Z

Reserved: 2026-06-03T22:05:13.644Z

Link: CVE-2026-50184

cve-icon Vulnrichment

Updated: 2026-06-23T13:48:20.727Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:42:05Z

Links: CVE-2026-50184 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:00:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-524

    Use of Cache Containing Sensitive Information