CVE-2026-54266 angular CVE debrief

Who should care

Developers using Angular for building mobile and desktop web applications should be aware of this vulnerability. The vulnerability affects Angular versions prior to 22.0.1, 21.2.17, and 20.3.25. Users of these versions should upgrade to the patched versions to prevent exploitation.

Technical summary

The vulnerability in Angular's HttpTransferCache is caused by a weak 32-bit DJB2-like polynomial rolling hash used to generate cache keys. This allows attackers to find hash collisions, enabling them to overwrite sensitive data. The cache keys are generated using request properties such as method, response type, mapped URL, serialized body, and sorted query parameters. An attacker can easily find a query parameter string that produces the exact same 32-bit hash as a sensitive endpoint, allowing them to execute both the search request and the profile request.

Defensive priority

High-priority patching is recommended for this vulnerability. Developers should upgrade to Angular versions 22.0.1, 21.2.17, or 20.3.25 to prevent exploitation.

Recommended defensive actions

• Upgrade to Angular version 22.0.1, 21.2.17, or 20.3.25
• Review and update affected applications to use patched versions
• Monitor for suspicious activity and implement compensating controls
• Perform inventory checks to identify affected systems
• Implement additional security measures to prevent exploitation

Evidence notes

The CVE record and NVD detail provide further information on the vulnerability. The vulnerability is fixed in Angular versions 22.0.1, 21.2.17, and 20.3.25. The CVSS score is 8.8, indicating high-severity.

Official resources