Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50169

CVE-2026-50169: Angular Service Worker Info Disclosure

CVE-2026-50169 is an information disclosure flaw in Angular Service Worker that bypasses redirect policies, potentially exposing credentials. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-50169 Overview

CVE-2026-50169 affects the @angular/service-worker package in Angular, a development platform for building mobile and desktop web applications using TypeScript and JavaScript. The vulnerability allows the service worker to strip the client-defined request redirect policy during request reconstruction. Applications that set redirect: 'error' to prevent automatic redirect following lose that protection when the service worker intercepts the request. The flaw enables a Confused Deputy condition where the service worker follows HTTP 3xx redirects against the application's intent. This can expose cookies, credentials, or same-origin session data when public dynamic routes redirect to sensitive endpoints. The issue is categorized as [CWE-200] Information Exposure.

Critical Impact

The service worker bypasses strict redirect policies and follows 3xx redirects automatically, potentially leaking session-restricted data through unintended cross-route flows.

Affected Products

  • Angular @angular/service-worker versions prior to 19.2.23
  • Angular @angular/service-worker versions 20.x prior to 20.3.22
  • Angular @angular/service-worker versions 21.x prior to 21.2.15 and 22.x prior to 22.0.0-rc.2

Discovery Timeline

  • 2026-06-22 - CVE-2026-50169 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-50169

Vulnerability Analysis

The Angular Service Worker intercepts network requests for matched assets and reconstructs each Request object through an internal helper function. During reconstruction, the helper does not propagate the original request's redirect property. The browser then applies its default follow strategy regardless of the caller's intent.

Client code that issues a fetch() call with redirect: 'error' expects a network error response when the server returns an HTTP 3xx status. With the service worker active, the redirect chain executes silently and the final destination response is returned to the caller. The service worker becomes an unintended proxy between the application and a redirect target it was never authorized to reach.

This behavior maps to a Confused Deputy pattern. An attacker who controls a public dynamic route that issues a redirect can chain it to a sensitive same-origin route, causing the browser to attach cookies and session credentials to the follow-on request. The response data flows back to the calling context, defeating the developer's defensive policy choice.

Root Cause

The root cause is incomplete option preservation in the request reconstruction helper inside @angular/service-worker. The redirect field on the source Request is dropped, and the new Request is created without the strict configuration the application supplied.

Attack Vector

Exploitation requires a target application that uses @angular/service-worker, makes client-side requests with redirect: 'error' or redirect: 'manual', and exposes a route that returns an HTTP 3xx response to a sensitive same-origin path. The attacker triggers the vulnerable request flow through normal user interaction with the application. Refer to the GitHub Security Advisory GHSA-gv2q-mqqv-365m for full technical details.

Detection Methods for CVE-2026-50169

Indicators of Compromise

  • Unexpected access log entries showing service worker requests to sensitive routes following a redirect from a public dynamic endpoint.
  • Browser network traces showing redirect chains completing when the originating fetch() specified redirect: 'error'.
  • Session cookies appearing in requests to internal routes that were not directly navigated by the user.

Detection Strategies

  • Inventory deployed Angular applications and identify versions of @angular/service-worker below the fixed releases.
  • Audit application code for fetch() calls that depend on redirect: 'error' or redirect: 'manual' semantics for security decisions.
  • Review server-side route handlers for public endpoints that return 3xx responses pointing to authenticated routes.

Monitoring Recommendations

  • Log and alert on 3xx responses originating from dynamic public routes that resolve to authenticated paths.
  • Monitor for anomalous patterns of same-origin requests carrying session cookies to backend endpoints not normally reached through the front-end navigation graph.
  • Track deployed front-end bundle versions in CI/CD telemetry to confirm patched @angular/service-worker builds reach production.

How to Mitigate CVE-2026-50169

Immediate Actions Required

  • Upgrade @angular/service-worker to 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 based on the major version in use.
  • Rebuild and redeploy the service worker bundle so browsers fetch the patched ngsw-worker.js.
  • Force service worker update on clients by bumping the application version to invalidate cached workers.

Patch Information

The Angular team fixed the issue by preserving the redirect option during request reconstruction in @angular/service-worker. Patched releases are 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. See the GitHub Pull Request #67494 for the code change and the GitHub Security Advisory for vendor guidance.

Workarounds

  • Remove redirects from public dynamic routes that could chain to sensitive same-origin paths until the patch is deployed.
  • Enforce redirect policy at the server layer by returning explicit error responses instead of 3xx codes on routes consumed by fetch() calls expecting redirect: 'error'.
  • Temporarily disable the service worker for affected request flows by excluding the target asset patterns from the ngsw-config.jsonassetGroups and dataGroups configuration.
bash
# Configuration example
npm install @angular/service-worker@21.2.15 --save
ng build --configuration production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.