CVE-2026-50184 Overview
CVE-2026-50184 is an information disclosure vulnerability [CWE-200] in the @angular/service-worker package. Angular is a TypeScript/JavaScript development platform for building mobile and desktop web applications. The flaw compromises request-policy enforcement during request reconstruction inside the service worker. When the worker intercepts network requests for matched assets, it rebuilds the Request object and silently discards client-defined safety parameters such as credentials: 'omit' and cache: 'no-store'. The browser then sends active credentials on requests the developer intended to anonymize and caches resources marked non-cacheable. The issue is fixed in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Critical Impact
Session credentials leak to outbound requests and private page states persist in the service worker cache after logout, enabling potential session hijacking and unauthorized access to cached private data.
Affected Products
- @angular/service-worker versions prior to 19.2.23
- @angular/service-worker versions 20.0.0 through 20.3.21
- @angular/service-worker versions 21.0.0 through 21.2.14 and 22.0.0-rc.1 and earlier
Discovery Timeline
- 2026-06-22 - CVE-2026-50184 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-50184
Vulnerability Analysis
The vulnerability lives in an internal helper function that reconstructs the Request object after the Angular Service Worker intercepts a fetch for a matched asset. During reconstruction, the helper omits explicit client-defined parameters from the original request. The credentials field is reverted to the browser default of same-origin, and the cache field is reverted to the standard HTTP cache mode. This silent reversion overrides the developer's stated intent and changes the security posture of the outbound request.
Two concrete impacts follow. First, the browser attaches cookies and Authorization headers to requests where the developer specified credentials: 'omit', creating session leak paths to endpoints that were meant to receive anonymous traffic. Second, responses for resources flagged cache: 'no-store' get stored by the service worker cache engine. Private page states remain accessible inside the local cache after logout, exposing user data to subsequent users of the same browser profile.
Root Cause
The root cause is incomplete property propagation during Request object reconstruction in the service worker. The helper function does not forward the credentials and cache initializer fields from the source request, causing the reconstructed object to inherit browser defaults rather than the developer's explicit configuration. This is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Attack Vector
Exploitation requires local access and user interaction, and the attack complexity is high. An attacker with access to a victim's browser cache after logout can extract private cached resources that should never have been stored. Alternatively, a malicious or compromised first-party endpoint can receive credentialed requests that the application logic explicitly intended to send anonymously. Refer to the GitHub Security Advisory GHSA-95qp-cmmw-mgqv for the full technical write-up.
Detection Methods for CVE-2026-50184
Indicators of Compromise
- Unexpected Cookie or Authorization headers on outbound requests from clients that declared credentials: 'omit' in fetch calls.
- Sensitive or user-specific responses present in the service worker Cache Storage after a user logout event.
- Server-side access logs showing authenticated traffic to endpoints expected to receive only anonymous traffic.
Detection Strategies
- Audit application dependencies for @angular/service-worker versions below the fixed releases using npm ls @angular/service-worker or equivalent SBOM tooling.
- Inspect browser DevTools Network tab to verify that credentials and cache headers on intercepted requests match the application's declared fetch options.
- Review service worker cache contents in Application > Cache Storage for entries that originated from endpoints marked Cache-Control: no-store.
Monitoring Recommendations
- Instrument server-side telemetry to alert on authenticated requests reaching endpoints documented as anonymous.
- Track @angular/service-worker package versions across deployed front-end builds via continuous SBOM scanning.
- Monitor user-reported session anomalies, such as data from previous sessions appearing after logout on shared devices.
How to Mitigate CVE-2026-50184
Immediate Actions Required
- Upgrade @angular/service-worker to 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 depending on the major version in use.
- Rebuild and redeploy front-end assets so that updated service worker code is delivered to clients, and bump the service worker version to force activation.
- Invalidate active sessions and clear server-side session stores for users who logged out on shared or public devices during the exposure window.
Patch Information
The fix is delivered in Angular versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. The patch updates the internal request reconstruction helper to preserve the original credentials and cache initializer values. See the Angular Pull Request #68904 for the code change and the GitHub Security Advisory GHSA-95qp-cmmw-mgqv for advisory details.
Workarounds
- Disable the Angular Service Worker in ngsw-config.json or by unregistering ServiceWorker until the package is patched, accepting the loss of PWA caching benefits.
- Avoid serving responses requiring Cache-Control: no-store semantics through service-worker-intercepted asset patterns until upgrading.
- Add a server-side check that rejects credentialed requests on endpoints intended to be anonymous, returning an explicit error rather than processing the request.
# Upgrade @angular/service-worker to a patched version
npm install @angular/service-worker@19.2.23
# or, depending on your major version:
npm install @angular/service-worker@20.3.22
npm install @angular/service-worker@21.2.15
npm install @angular/service-worker@22.0.0-rc.2
# Verify installed version
npm ls @angular/service-worker
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

