CVE-2026-50169 in Angular
Summary
by MITRE • 06/22/2026
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/22/2026
The vulnerability in Angular's @angular/service-worker package represents a critical flaw in request policy enforcement that undermines the security of web applications built on the platform. This issue affects versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, where the service worker component fails to properly maintain client-defined redirect policies during request reconstruction. The flaw occurs when the Angular Service Worker intercepts network requests for matched assets and reconstructs new Request objects using an internal helper function that deliberately strips strict client-defined redirect configurations. This behavior creates a dangerous security gap that directly violates the principle of least privilege and proper request handling.
The technical implementation of this vulnerability stems from how the service worker's internal reconstruction process handles redirect policy parameters. When applications make requests with explicit redirect policies such as redirect: 'error', the service worker's helper function ignores these client specifications and defaults to the browser's standard 'follow' strategy. This automatic policy override transforms the service worker from a protective layer into an unintended intermediary that can bypass application security controls. The vulnerability manifests when public dynamic routes redirect to sensitive internal endpoints, creating opportunities for credential exposure and session-restricted data leakage. From a cybersecurity perspective, this represents a confused deputy problem where the service worker acts as an unwitting proxy for malicious redirection attempts.
The operational impact of this vulnerability extends beyond simple policy bypasses to create real security risks in production environments. When applications rely on strict redirect policies to prevent unintended access patterns or protect sensitive resources, the service worker's automatic behavior can expose users to credential theft and data leakage scenarios. The vulnerability particularly affects applications that implement session management or access control mechanisms where redirect policies serve as security boundaries. Attackers could exploit this flaw by crafting public endpoints that redirect to internal authenticated routes, effectively using the service worker as a means to bypass application-level security controls.
This vulnerability maps directly to CWE-284 (Improper Access Control) and CWE-310 (Cryptographic Issues) categories within the Common Weakness Enumeration framework. It also aligns with ATT&CK technique T1566.001 (Phishing via Service Worker) and T1071.004 (Application Layer Protocol: DNS) when considering how redirect manipulation can be used to establish unauthorized access paths. The fix implemented in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23 ensures proper preservation of client-defined redirect policies during request reconstruction, maintaining the intended security boundaries that applications rely upon for protecting sensitive resources and user credentials.
Organizations using Angular applications should immediately implement patch management strategies to upgrade to the affected versions or apply the relevant security patches. Security teams should conduct thorough vulnerability assessments to identify applications that may be impacted by this issue, particularly those implementing strict redirect policies or handling sensitive user data. Network monitoring should be enhanced to detect unusual redirection patterns that might indicate exploitation attempts, while application security reviews should validate that service worker configurations properly respect client-defined policy parameters. The remediation process requires careful testing to ensure that the patch does not introduce regressions in legitimate redirect handling while maintaining the enhanced security posture necessary for protecting user sessions and sensitive data access patterns.