CVE-2026-50169 angular CVE debrief

Who should care

Developers using Angular service workers, especially those handling sensitive data or strict request policies, should be aware of this vulnerability. Web applications with client-side requests and strict redirect policies are at risk. Security teams monitoring for potential credential exposure or data leakage should prioritize patching.

Technical summary

The Angular service worker intercepts network requests for matched assets and reconstructs a new Request object using an internal helper function. During this reconstruction, the helper function strips the strict, client-defined request redirect policy configuration, falling back to the browser's default 'follow' strategy. This can bypass client-side requests with strict policies, automatically following HTTP 3xx redirects to other destinations. The vulnerability affects versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Defensive priority

Patching to versions 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 is recommended. Review client-side request policies and consider implementing compensating controls to monitor and restrict sensitive data exposure.

Recommended defensive actions

• Patch to versions 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23
• Review and update client-side request policies
• Monitor for potential credential exposure or data leakage
• Implement compensating controls to restrict sensitive data exposure
• Verify vendor remediation workflow and exception tracking

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. The source item URL offers additional context from the NVD database. References to issue tracking and patch information are available.

Official resources