PatchSiren cyber security CVE debrief
CVE-2026-50170 angular CVE debrief
CVE-2026-50170 is a high-severity information disclosure vulnerability in Angular's @angular/common module when Server-Side Rendering (SSR) and hydration are enabled. The vulnerability arises from the HttpTransferCache utility's failure to inspect the withCredentials flag or the Cookie header of outgoing requests, potentially leading to the caching and leakage of user-specific, credentialed responses. This issue affects Angular versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. The vulnerability is fixed in the mentioned versions. Users of affected versions should update to a patched version to mitigate the risk. The CVE was published on June 22, 2026, and modified on June 23, 2026.
- Vendor
- angular
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-23
Who should care
Developers and administrators using Angular for web application development, especially those utilizing Server-Side Rendering (SSR) and hydration, should be aware of this vulnerability. Updating to the patched versions can prevent potential information disclosure. Security teams monitoring for vulnerabilities in web applications built with Angular should prioritize this CVE.
Technical summary
The HttpTransferCache utility in @angular/common optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, it fails to inspect the withCredentials flag or the Cookie header of outgoing requests. This oversight allows credentialed, user-specific responses to be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users.
Defensive priority
High. This vulnerability can lead to information disclosure, potentially exposing sensitive user data. Immediate action is recommended for applications using affected Angular versions.
Recommended defensive actions
- Update to Angular version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23, or later.
- Review and adjust caching layers (e.g., CDNs, reverse proxies) to ensure they properly handle sensitive data.
- Implement additional monitoring to detect potential misuse of cached sensitive information.
- Conduct thorough inventory checks to identify and update vulnerable applications.
- Consider compensating controls, such as implementing custom caching mechanisms that handle sensitive data more securely.
Evidence notes
The CVE details were obtained from the official CVE record and the NVD database. The vulnerability is confirmed to exist in Angular versions prior to the patched versions. Limited information is available on public exploits or attacks; however, the potential for information disclosure is significant.
Official resources
This article is AI-assisted and based on the supplied source corpus.