CVE-2026-54264

UNKNOWN 0.0

Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

CWE	CWE-200 CWE-359
Vendor	angular
Product	angular
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for angular angular

Be the first to know when new unknown vulnerabilities affecting angular angular are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

angular / angular

>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p github.com: https://github.com/angular/angular/pull/69029 github.com: https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08