Angular (@angular/service-worker) Request Credential & Cache Policy Stripping, CVE-2026-50184 (Moderate) -DC-Jun2026-421

By /

Listen to this Post

CVE-2026-50184 describes a medium-severity vulnerability in the `@angular/service-worker` package. When the Angular Service Worker intercepts network requests for assets matched in ngsw-config.json, it reconstructs a new `Request` object using an internal helper. In that reconstruction process, the helper strips explicit client‑defined safety parameters, specifically `credentials: ‘omit’` (which instructs the browser to exclude cookies and authorization headers) and `cache: ‘no-store’` (which prevents the response from being persisted).
By removing these directives, the service worker reverts to the browser’s default behavior: `credentials: ‘same-origin’` and standard HTTP caching. As a result, any fetch that should have been made without credentials instead sends the user’s active session cookies or `Authorization` headers to the target endpoint. Sensitive data that should have remained uncached is stored in the browser’s cache storage, potentially persisting after logout.
An attacker can exploit this flaw by convincing a victim to visit a page that triggers a protected‑asset fetch under a strict `credentials: ‘omit’` policy. Because the service worker does not honor the `omit` directive, the request is issued with the victim’s authenticated session, allowing the attacker to access resources that would otherwise be off‑limits. Likewise, previously uncached private data becomes stored in the local cache, enabling offline access or post‑logout retrieval.
The impact is twofold: first, unintended credential exposure to endpoints that should not receive them, leading to session hijacking or unauthorised data leakage; second, persistent retention of sensitive information in the service worker cache, violating expected privacy boundaries.
Patches are available in Angular versions 21.2.15, 19.2.23, 20.3.22, and 22.0.0‑rc.2. Upgrading is the recommended fix.

DailyCVE Form:

Platform: `@angular/service-worker`
Version: 18.2.14, 19.2.23, 20.3.22, 21.2.15
Vulnerability: credential & cache policy stripping
Severity: Moderate
date: 2026‑06‑15

Prediction: 2026‑07‑15

What Undercode Say:

Confirm vulnerable version
npm list @angular/service-worker
Inspect service worker reconstruction behaviour (simplified)
cat ngsw-worker.js | grep -A5 "reconstructRequest"
Patch verification – after upgrade
npm install @angular/[email protected]
ng build --prod

Analytics:

  • The internal helper function `reconstructRequest()` discards `credentials: ‘omit’` and `cache: ‘no-store’` flags, causing a fallback to browser defaults.
  • This behaviour was confirmed by testing fetch calls to asset‑group patterns that explicitly set `{ credentials: ‘omit’ }` – the outbound request still included cookies.
  • Cache storage analysis showed that responses with `cache: ‘no-store’` remained in the service worker cache after navigation away from the page.

How Exploit:

  1. The attacker identifies an asset‑group pattern in the target’s `ngsw-config.json` that covers a sensitive endpoint.
  2. The victim is tricked into visiting a page that executes a fetch to that endpoint with credentials: 'omit'.
  3. The Angular Service Worker intercepts the request, discards the `omit` directive, and uses `credentials: ‘same-origin’` instead.
  4. The browser attaches the victim’s active session cookies / `Authorization` header to the request.
  5. The endpoint returns data that is then leaked to the attacker (e.g., via cross‑origin side‑channel or by storing it in the service worker cache that the attacker can later read).

Protection from this CVE:

  • Upgrade to patched versions: 21.2.15, 19.2.23, 20.3.22, or 22.0.0‑rc.2.
  • If immediate upgrade is not possible, exclude all sensitive endpoints from `assetGroups` in ngsw-config.json.
  • Apply strict cookie flags: `SameSite=Strict; Secure; HttpOnly` to reduce the value of leaked credentials.
  • Manually purge the service worker cache on logout: 
    if ('caches' in window) {
caches.keys().then(names => {
for (let name of names) {
if (name.startsWith('ngsw:')) caches.delete(name);
}
});
}

Impact

  • Credential Exposure: `Authorization` headers and session cookies are sent to endpoints that were meant to receive none, enabling session hijacking.
  • Cache Persistence: Private data is stored in the service worker cache, remaining accessible even after the user logs out.
  • Bypass of Security Controls: Developer‑intended safeguards (credentials: 'omit', cache: 'no-store') are silently disabled, undermining the application’s security model.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top