CVE Catalog

CVE-2026-54264

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

In Angular, in the @angular/service-worker package, there is an information disclosure vulnerability. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request, but on cross-origin redirects, it fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.

Risk Assessment

The risk is that an attacker can intercept sensitive authentication data of Angular application users, potentially leading to unauthorized access to systems and data.

Recommendation

Immediately update Angular to version 22.0.1, 21.2.17, or 20.3.25, depending on the branch used, to eliminate the vulnerability.

Original NVD description (English source)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS