Cross-Site Request Forgery Vulnerability in Angular Framework
CVE-2026-54266

8.8HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54266?

The Angular framework has a vulnerability in its HttpTransferCache component, which is responsible for caching HTTP requests during Server-Side Rendering (SSR). This mechanism is designed to optimize performance by avoiding repeat requests during client-side hydration. However, prior to specific versions, a weak hashing algorithm was employed to generate cache keys, creating a high risk of hash collisions. Attackers can exploit this flaw by crafting specific query parameter strings that match the hash of sensitive endpoints. When a user visits such a maliciously designed link, the SSR process inadvertently executes both the legitimate and malicious requests, leading to the unauthorized overwriting of sensitive data in the cache. This issue has been addressed in Angular versions 22.0.1, 21.2.17, and 20.3.25.

Affected Version(s)

angular >= 22.0.0-next.0 < 22.0.1 < 22.0.0-next.0 22.0.1

angular >= 21.0.0-next.0 < 21.2.17 < 21.0.0-next.0 21.2.17

angular >= 20.0.0-next.0 < 20.3.25 < 20.0.0-next.0 20.3.25

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/69153
x_refsource_MISC
https://github.com/angular/angular/commit/5f36274da3f9614...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.