CVE & CISA-KEV Catalog

CVE-2026-50184

MEDIUM
6.1
CVSS v3
NVD

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

How to fix

Remediation Available
angularjsNVD
Affected:>= 21.0.0, < 21.2.15Fixed in:21.2.15CVE-2026-50184derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeChanged

Impact

ConfidentialityLow
IntegrityLow
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploit Intelligence

0.15%probability of exploitation in 30 days
5thpercentile

Low risk: more likely to be exploited than 5% of all known CVEs.

References

Third-Party Advisory1
Embed a live status badge for CVE-2026-50184
CVE-2026-50184 severity badge

Markdown

[![CVE-2026-50184](https://tridentstack.com/cve/badge/CVE-2026-50184.svg)](https://tridentstack.com/cve/CVE-2026-50184)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-50184"><img src="https://tridentstack.com/cve/badge/CVE-2026-50184.svg" alt="CVE-2026-50184"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-26.