Information Disclosure Vulnerability in Angular Service Worker by Google
CVE-2026-54264

8.3HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54264?

An information disclosure vulnerability has been identified in the @angular/service-worker package, affecting earlier versions of Angular. This flaw occurs when the Service Worker processes asset fetch requests and inadvertently retains sensitive metadata, such as headers, from the original request. During cross-origin redirects, the Service Worker does not appropriately remove sensitive headers, which can lead to unauthorized access to sensitive information like Authorization tokens and session cookies. Attackers exploiting this vulnerability can direct users to untrusted external origins, compromising application security. The issue has been rectified in versions 22.0.1, 21.2.17, and 20.3.25.

Affected Version(s)

angular >= 22.0.0-next.0 < 22.0.1 < 22.0.0-next.0 22.0.1

angular >= 21.0.0-next.0 < 21.2.17 < 21.0.0-next.0 21.2.17

angular >= 20.0.0-next.0 < 20.3.25 < 20.0.0-next.0 20.3.25

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/69029
x_refsource_MISC
https://github.com/angular/angular/commit/47d68dcb2626631...
x_refsource_MISC

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.