Service Worker Request Processing Vulnerability in Angular by Google
CVE-2026-50184

5.7MEDIUM

Key Information:

Vendor: Angular
Status: Angular
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-50184?

An issue in the @angular/service-worker package affects the integrity of request-policy enforcement when reconstructing network requests. Prior to specific version updates, the Angular Service Worker could strip client-defined safety parameters such as credentials and cache mode, reverting them to browser defaults. This behavior leads to the inclusion of sensitive credentials on requests that should omit them, potentially exposing session details and causing private resources to be improperly cached, which could result in leakage of private user states.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-rc.2 < 22.0.0-next.0, 22.0.0-rc.2

angular >= 21.0.0-next.0, < 21.2.15 < 21.0.0-next.0, 21.2.15

angular >= 20.0.0-next.0, < 20.3.22 < 20.0.0-next.0, 20.3.22

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/angular/angular/pull/68904

x_refsource_MISC

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50184 Data

JSON