Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54266

CVE-2026-54266: Angular HttpTransferCache Info Disclosure

CVE-2026-54266 is an information disclosure vulnerability in Angular's HttpTransferCache that allows attackers to exploit hash collisions during SSR. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-54266 Overview

CVE-2026-54266 affects Angular, a development platform for building mobile and desktop web applications using TypeScript and JavaScript. The vulnerability resides in Angular's HttpTransferCache, which caches HTTP requests made during Server-Side Rendering (SSR) for reuse during client-side hydration. The cache uses a weak 32-bit DJB2-like polynomial rolling hash to generate cache keys. The small hash space allows attackers to find collisions and overwrite cached responses for sensitive endpoints with attacker-controlled data. The flaw is classified under CWE-328: Use of Weak Hash and is fixed in Angular versions 22.0.1, 21.2.17, and 20.3.25.

Critical Impact

A remote attacker can craft a malicious link that causes attacker-controlled HTTP responses to replace sensitive cached data, leading to confidentiality compromise during SSR hydration.

Affected Products

  • Angular versions prior to 22.0.1
  • Angular versions prior to 21.2.17
  • Angular versions prior to 20.3.25

Discovery Timeline

  • 2026-06-22 - CVE-2026-54266 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-54266

Vulnerability Analysis

Angular's HttpTransferCache mechanism stores SSR-generated HTTP responses in TransferState so the client can reuse them during hydration. This avoids duplicate network requests when the page loads in the browser. Each cached response is keyed by a hash derived from the HTTP method, response type, mapped URL, serialized body, and sorted query parameters.

The cache key generation uses a DJB2-like polynomial rolling hash truncated to 32 bits. A 32-bit hash space contains roughly 4.29 billion possible values, which is computationally trivial for an attacker to brute-force. Attackers can precompute query parameter strings whose hashes collide with the cache keys of sensitive endpoints such as /api/user/profile.

When a victim follows a crafted link containing the colliding query parameter, the SSR process executes both the benign search request and the sensitive profile request. Because both produce the same cache key, the attacker-controlled search response overwrites the legitimate profile response in TransferState. The client subsequently hydrates application state from the poisoned cache entry.

Root Cause

The root cause is the use of a cryptographically weak hash function for security-relevant cache key generation. The DJB2 algorithm was designed for general-purpose string hashing, not collision resistance. Truncating the output to 32 bits further reduces the search space and enables practical collision attacks.

Attack Vector

Exploitation requires no authentication or user interaction beyond visiting a crafted URL. The attacker identifies a sensitive endpoint the application calls during SSR, computes a colliding query parameter, and delivers the link through phishing or other channels. The SSR pipeline processes both requests and the cache poisoning occurs server-side before being transferred to the client.

For technical details, refer to the GitHub Security Advisory GHSA-39pv-4j6c-2g6v and the GitHub Pull Request Discussion.

Detection Methods for CVE-2026-54266

Indicators of Compromise

  • Server-Side Rendering logs showing unusual query parameter patterns containing high-entropy or seemingly random strings paired with sensitive endpoint paths.
  • Hydration mismatches in client logs where rendered data does not match the expected user context.
  • Repeated requests to known sensitive API endpoints originating from SSR traffic with anomalous query parameters.

Detection Strategies

  • Audit Angular application versions across web infrastructure to identify deployments running versions prior to 22.0.1, 21.2.17, or 20.3.25.
  • Inspect Node.js SSR server logs for cache key collisions or repeated TransferState writes against the same key from different request origins.
  • Implement web application firewall rules that flag suspicious query parameter strings on routes known to trigger SSR for sensitive endpoints.

Monitoring Recommendations

  • Monitor SSR request volumes and query parameter entropy for statistical anomalies indicating brute-force collision probing.
  • Track outbound HTTP requests issued by the SSR process to detect unexpected combinations of sensitive and attacker-controlled endpoints in the same render cycle.
  • Correlate user session activity with SSR cache contents to identify cases where hydrated state does not match server-side authentication context.

How to Mitigate CVE-2026-54266

Immediate Actions Required

  • Upgrade Angular to version 22.0.1, 21.2.17, or 20.3.25 depending on your major version line.
  • Inventory all production Angular applications using HttpTransferCache or provideClientHydration with SSR enabled.
  • Review SSR-rendered endpoints handling sensitive data and consider disabling HttpTransferCache for those routes until patches are deployed.

Patch Information

The Angular team addressed the issue by replacing the weak 32-bit hash with a stronger cache key generation scheme. See the upstream fix in the GitHub Commit Overview and the merged GitHub Pull Request Discussion. The fix is included in releases 22.0.1, 21.2.17, and 20.3.25.

Workarounds

  • Disable HttpTransferCache globally by removing withHttpTransferCacheOptions from the hydration provider configuration where upgrading is not immediately feasible.
  • Configure HttpTransferCache to exclude requests carrying authentication headers or targeting sensitive API paths.
  • Apply server-side validation that rejects requests where SSR-cached responses do not match the authenticated user context before sending hydration data to the client.
bash
# Update Angular packages to a patched release
npm install @angular/core@22.0.1 @angular/common@22.0.1 @angular/platform-server@22.0.1

# Verify installed version
ng version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.