CVE-2026-54264
Severity CVSS v4.0:
HIGH
Type:
CWE-200
Information Leak / Disclosure
Publication date:
22/06/2026
Last modified:
09/07/2026
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Impact
Base Score 4.0
8.30
Severity 4.0
HIGH
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* | 19.2.25 (including) | |
| cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* | 20.0.0 (including) | 20.3.25 (excluding) |
| cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* | 21.0.0 (including) | 21.2.17 (excluding) |
| cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:* | 22.0.0 (including) | 22.0.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



