CVE-2026-50170 Overview
CVE-2026-50170 is a high-severity information disclosure vulnerability in Angular's @angular/common package. The flaw resides in the HttpTransferCache utility used during Server-Side Rendering (SSR) and client hydration. The cache fails to inspect the withCredentials flag or Cookie header on outgoing HTTP requests. As a result, credentialed, user-specific responses are serialized into the TransferState payload embedded in rendered HTML. Any caching layer in front of the application, such as a Content Delivery Network (CDN), reverse proxy, or shared server cache, can store one user's private data and return it to other users. The issue is tracked as [CWE-524: Use of Cache Containing Sensitive Information].
Critical Impact
Private user data cached during SSR can leak to unrelated users through downstream HTTP caches.
Affected Products
- Angular @angular/common versions prior to 22.0.0-rc.2
- Angular @angular/common versions prior to 21.2.15
- Angular @angular/common versions prior to 20.3.22 and 19.2.23
Discovery Timeline
- 2026-06-22 - CVE-2026-50170 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-50170
Vulnerability Analysis
Angular applications using SSR pre-render HTML on the server and then hydrate the client-side application from a serialized state. To avoid duplicate network requests after hydration, the HttpTransferCache interceptor stores outgoing HTTP responses generated during SSR. The framework then ships these responses to the browser through the TransferState mechanism embedded directly in the rendered HTML.
The cache treats all GET and HEAD responses as cacheable by default. It does not differentiate between anonymous responses and responses produced from authenticated requests. When the SSR request contains a forwarded Cookie header or sets withCredentials: true, the resulting user-specific response is still placed in TransferState. Anything that caches the rendered HTML downstream then serves that user's data to subsequent visitors.
Root Cause
The root cause is missing input inspection in the HttpTransferCache filter logic. The caching decision relies only on HTTP method and URL. It ignores credential indicators that signal a request is user-specific, leading to unsafe cross-user reuse of cached responses.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker requests an SSR-rendered page through a shared cache after a legitimate authenticated user has populated the cache. The CDN or reverse proxy returns the cached HTML, including the victim's serialized TransferState. Sensitive identifiers, tokens, or personal data inside the embedded JSON become visible in the response body. No exploit code is required because the disclosure occurs through normal HTTP requests against the cache. See the Angular Security Advisory GHSA-q6f4-qqrg-jv6x for technical details.
Detection Methods for CVE-2026-50170
Indicators of Compromise
- Rendered HTML responses containing <script id="ng-state"> blocks with user-specific identifiers, email addresses, or session data.
- CDN or reverse proxy cache entries for SSR routes returning identical TransferState payloads to multiple distinct clients.
- Application logs showing SSR HTTP client requests issued with forwarded Cookie headers or withCredentials: true.
Detection Strategies
- Inspect production HTML output from authenticated SSR routes and search the TransferState JSON for fields tied to user identity.
- Compare cached responses returned by the CDN across different sessions for the same URL to identify cross-user contamination.
- Audit Angular dependency manifests for @angular/common versions below the patched releases.
Monitoring Recommendations
- Log and alert on SSR backend requests that carry credentials, then correlate them with cache-hit ratios at the edge.
- Monitor support tickets and error reports for users seeing data belonging to other accounts.
- Track upstream cache headers such as Cache-Control, Vary, and Set-Cookie on SSR responses to detect missing privacy directives.
How to Mitigate CVE-2026-50170
Immediate Actions Required
- Upgrade @angular/common to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 depending on your major version.
- Purge existing CDN, reverse proxy, and shared server caches for any SSR routes that may have stored authenticated responses.
- Audit application code for HTTP calls during SSR that forward cookies or set withCredentials: true.
Patch Information
The Angular team fixed the issue in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. The patch updates HttpTransferCache to skip caching of requests that carry credentials. Review the upstream fix in Angular Pull Request #67964 and the GitHub Security Advisory GHSA-q6f4-qqrg-jv6x.
Workarounds
- Disable HttpTransferCache by removing withHttpTransferCacheOptions or passing { filter: () => false } to skip caching entirely.
- Configure CDN and reverse proxy rules to mark SSR responses as Cache-Control: private, no-store when authentication cookies are present.
- Strip or avoid forwarding the Cookie header on outgoing HTTP requests issued during SSR until the patch is deployed.
# Configuration example
npm install @angular/common@21.2.15
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

