CVE-2026-54264

Description

An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., `Authorization` tokens, `Proxy-Authorization` credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. ### Impact If an application configured with the Angular Service Worker fetches assets with credential headers (such as `Authorization` header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers. ### Attack Preconditions For this vulnerability to be exploitable: 1. **Vulnerable Configuration:** The application must utilize the `@angular/service-worker` package to fetch assets. 2. **Credentialed Requests:** The application must attach sensitive request headers (like `Authorization`, `Proxy-Authorization`, or rely on cookies) to asset-group requests. 3. **Redirect Flow:** These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain. ### Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 ### Credits This vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).

How to fix CVE-2026-54264

To remediate CVE-2026-54264, upgrade the affected package to a fixed version below.

• —upgrade to 22.0.1 or later

Is CVE-2026-54264 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54264.

Affected packages (1)

• >= 22.0.0-next.0, < 22.0.1

CVSS scores

References (4)

• PATCHgithub.com/angular/angular
• WEBgithub.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08
• WEBgithub.com/angular/angular/pull/69029
• WEBgithub.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p