Request Reconstruction Flaw in Angular Service Worker Affects Web Applications
CVE-2026-50169

5.7MEDIUM

Key Information:

Vendor: Angular
Status: Angular
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-50169?

A vulnerability exists in the Angular Service Worker prior to version 22.0.0-rc.2 that impairs the enforcement of client-defined request policies during network request reconstruction. When intercepting requests for cached assets, the service worker may revert to a default redirection strategy, ignoring directives that specify strict behaviors like 'redirect: error'. This unintended fallback can lead to the exposure of cookies and credentials or the leakage of sensitive data from same-origin sessions, particularly when malicious redirects direct users to unauthorized destinations. The issue has been resolved in the latest versions.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-rc.2 < 22.0.0-next.0, 22.0.0-rc.2

angular >= 21.0.0-next.0, < 21.2.15 < 21.0.0-next.0, 21.2.15

angular >= 20.0.0-next.0, < 20.3.22 < 20.0.0-next.0, 20.3.22

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/angular/angular/pull/67494

x_refsource_MISC

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50169 Data

JSON