PatchSiren cyber security CVE debrief
CVE-2026-54264 angular CVE debrief
CVE-2026-54264 is an information disclosure vulnerability in the @angular/service-worker package of the Angular framework. Prior to 22.0.1, 21.2.17, and 20.3.25, the Service Worker preserves metadata from the original request when fetching assets, but fails to strip sensitive headers on cross-origin redirects. This allows a remote attacker to obtain sensitive credentials by triggering a cross-origin redirect to an untrusted external origin. The vulnerability has a CVSS score of 8.3 and is considered HIGH severity. The issue is fixed in 22.0.1, 21.2.17, and 20.3.25.
- Vendor
- angular
- Product
- Unknown
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-26
Who should care
Developers and administrators using the Angular framework, particularly those using the @angular/service-worker package, should be aware of this vulnerability. The vulnerability allows a remote attacker to obtain sensitive credentials, making it a high-priority issue to address. Affected versions include those prior to 22.0.1, 21.2.17, and 20.3.25.
Technical summary
The @angular/service-worker package in the Angular framework has an information disclosure vulnerability, CVE-2026-54264. When the Service Worker fetches assets, it preserves metadata from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials by triggering a cross-origin redirect to an untrusted external origin. The vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Defensive priority
High priority should be given to updating the @angular/service-worker package to a fixed version (22.0.1, 21.2.17, or 20.3.25) to prevent exploitation of this vulnerability. Developers and administrators should review their dependencies and update them accordingly.
Recommended defensive actions
- Update the @angular/service-worker package to version 22.0.1, 21.2.17, or 20.3.25.
- Review and update dependencies to ensure that all affected versions are addressed.
- Monitor for potential exploitation attempts and review logs for suspicious activity.
- Consider implementing additional security measures, such as validating and sanitizing user input.
- Keep the Angular framework and its dependencies up to date with the latest security patches.
Evidence notes
The CVE-2026-54264 vulnerability is documented in the official CVE record and the NVD detail page. The vulnerability is caused by the Service Worker's failure to strip sensitive headers on cross-origin redirects, allowing a remote attacker to obtain sensitive credentials. The issue is fixed in 22.0.1, 21.2.17, and 20.3.25.
Official resources
-
CVE-2026-54264 CVE record
CVE.org
-
CVE-2026-54264 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.