Back to overview

CVE-2026-54264

HIGH
8.3
CVSS 4.0
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

Metadata

CVE ID
CVE-2026-54264
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-12 17:13 UTC
Published
2026-06-22 15:32 UTC
Last updated
2026-06-22 15:32 UTC
Primary CWE
CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product
angular / angular
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
angular angular >= 22.0.0-next.0 < 22.0.1, >= 21.0.0-next.0 < 21.2.17, >= 20.0.0-next.0 < 20.3.25, <= 19.2.25
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-359 cna CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
References (3)
Back to overview