{"id":"CVE-2026-50169","summary":"Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities","details":"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary (\"Confused Deputy\") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.","aliases":["GHSA-gv2q-mqqv-365m"],"modified":"2026-07-08T08:13:42.610844136Z","published":"2026-06-22T15:41:17.125Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50169.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-200","CWE-441","CWE-524"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50169.json"},{"type":"ADVISORY","url":"https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50169"},{"type":"FIX","url":"https://github.com/angular/angular/pull/67494"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"0"},{"introduced":"e7566c3c475560616f97de2ab3c8f8d6f83be015"},{"fixed":"7801eaac2ab43dc6983efc2d1692443c45f11a5f"},{"introduced":"40e2b5b4d13792ed7c46a1d22afcf6c12ac9c679"},{"fixed":"db20819ddc5dde871d8707d6cfbbe378f85795b5"},{"introduced":"00dcbf2eeb3fd18ed39148e4bc9e49a5b35cae0c"},{"fixed":"cea6588bb301c9a71fe703fd1cb3a2165fd768b4"},{"introduced":"62676269d207db80576052d080b756e938be97ea"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*","cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"18.2.14"},{"introduced":"19.0.0"},{"fixed":"19.2.23"},{"introduced":"20.0.0"},{"fixed":"20.3.22"},{"introduced":"21.0.0"},{"fixed":"21.2.15"},{"introduced":"22.0.0-next0"},{"last_affected":"22.0.0-next0"},{"introduced":"22.0.0-next1"},{"last_affected":"22.0.0-next1"},{"introduced":"22.0.0-next10"},{"last_affected":"22.0.0-next10"},{"introduced":"22.0.0-next11"},{"last_affected":"22.0.0-next11"},{"introduced":"22.0.0-next12"},{"last_affected":"22.0.0-next12"},{"introduced":"22.0.0-next2"},{"last_affected":"22.0.0-next2"},{"introduced":"22.0.0-next3"},{"last_affected":"22.0.0-next3"},{"introduced":"22.0.0-next4"},{"last_affected":"22.0.0-next4"},{"introduced":"22.0.0-next5"},{"last_affected":"22.0.0-next5"},{"introduced":"22.0.0-next6"},{"last_affected":"22.0.0-next6"},{"introduced":"22.0.0-next7"},{"last_affected":"22.0.0-next7"},{"introduced":"22.0.0-next8"},{"last_affected":"22.0.0-next8"},{"introduced":"22.0.0-next9"},{"last_affected":"22.0.0-next9"}]}}],"versions":["22.0.0-next0","22.0.0-next1","22.0.0-next10","22.0.0-next11","22.0.0-next12","22.0.0-next2","22.0.0-next3","22.0.0-next4","22.0.0-next5","22.0.0-next6","22.0.0-next7","22.0.0-next8","22.0.0-next9","v20.3.21","vsix-included-21.2.4","vsix-21.2.4","v19.2.22","v21.2.14","v21.2.13","v19.2.21","v20.3.20","v21.2.12","v20.3.19","v21.2.11","v21.2.10","v21.2.9","v20.3.18","v19.2.20","v21.2.8","v21.2.7","v21.2.6","v21.2.5","v21.2.4","v19.2.19","v20.3.17","vsix-21.2.3","v21.2.3","v21.2.2","vsix-21.2.2","v21.2.1","vsix-21.2.1","v21.2.0","v19.2.18","v20.3.16","vsix-21.2.0","v21.2.0-rc.0","v21.2.0-next.3","v21.2.0-next.2","v21.2.0-next.1","v21.2.0-next.0","20.3.15","19.2.17","v21.1.0-next.4","v21.1.0-next.3","v21.1.0-next.2","21.1.0-next.1","20.3.14","19.2.16","21.1.0-next.0","20.3.13","zone.js-0.16.0","20.3.12","20.3.11","20.3.10","20.3.9","20.3.8","20.3.7","20.3.6","20.3.5","21.0.0-next.8","20.3.4","21.0.0-next.7","20.3.3","21.0.0-next.6","20.3.2","21.0.0-next.5","20.3.1","21.0.0-next.4","19.2.15","20.3.0","21.0.0-next.3","20.3.0-rc.0","21.0.0-next.2","20.2.4","20.2.3","20.2.2","21.0.0-next.1","20.2.1","20.2.0","21.0.0-next.0","20.2.0-rc.1","20.2.0-rc.0","20.2.0-next.6","20.2.0-next.5","20.2.0-next.4","20.2.0-next.3","20.2.0-next.2","20.2.0-next.1","20.2.0-next.0","20.1.0-next.3","20.1.0-next.2","20.1.0-next.1","20.1.0-next.0","19.2.14","19.2.13","zone.js-0.15.1","19.2.12","19.2.11","19.2.10","19.2.9","19.2.8","20.0.0-next.8","19.2.7","20.0.0-next.7","19.2.6","20.0.0-next.6","19.2.5","20.0.0-next.5","19.2.4","20.0.0-next.4","19.2.3","20.0.0-next.3","19.2.2","20.0.0-next.2","19.2.1","20.0.0-next.1","20.0.0-next.0","19.2.0","19.2.0-rc.0","19.2.0-next.3","19.2.0-next.2","19.2.0-next.1","19.2.0-next.0","19.1.0-next.4","19.1.0-next.3","19.1.0-next.2","19.1.0-next.1","19.1.0-next.0","19.0.0-next.10","19.0.0-next.9","19.0.0-next.8","19.0.0-next.7","19.0.0-next.6","19.0.0-next.5","19.0.0-next.4","19.0.0-next.3","19.0.0-next.2","19.0.0-next.1","zone.js-0.15.0","19.0.0-next.0","18.2.0-next.4","zone.js-0.14.10","18.2.0-next.3","18.2.0-next.2","zone.js-0.14.8","18.2.0-next.1","18.2.0-next.0","18.1.0-next.4","18.1.0-next.3","18.1.0-next.2","zone.js-0.14.7","18.1.0-next.1","18.1.0-next.0","zone.js-0.14.6","zone.js-0.14.5","18.0.0-next.5","18.0.0-next.4","18.0.0-next.3","18.0.0-next.2","18.0.0-next.1","18.0.0-next.0","17.3.0-next.1","17.3.0-next.0","zone.js-0.14.4","17.2.0-next.1","17.2.0-next.0","zone.js-0.14.3","17.1.0-next.5","17.1.0-next.4","17.1.0-next.3","17.1.0-next.2","17.1.0-next.1","17.1.0-next.0","zone.js-0.14.2","zone.js-0.14.1","17.0.0-next.7","17.0.0-next.6","17.0.0-next.5","zone.js-0.14.0","17.0.0-next.4","zone.js-0.13.3","zone.js-0.13.2","17.0.0-next.3","17.0.0-next.2","17.0.0-next.1","17.0.0-next.0","16.2.0-next.4","16.2.0-next.3","16.2.0-next.2","16.2.0-next.1","16.2.0-next.0","zone.js-0.13.1","16.1.0-next.3","16.1.0-next.2","16.1.0-next.1","16.1.0-next.0","16.0.0-next.6","16.0.0-next.5","16.0.0-next.4","16.0.0-next.3","16.0.0-next.2","zone.js-0.13.0","16.0.0-next.1","16.0.0-next.0","15.2.0-next.4","15.2.0-next.3","15.2.0-next.2","15.2.0-next.1","15.2.0-next.0","15.1.0-next.3","15.1.0-next.2","15.1.0-next.1","15.1.0-next.0","zone.js-0.12.0","15.0.0-next.5","15.0.0-next.4","15.0.0-next.3","15.0.0-next.2","15.0.0-next.1","15.0.0-next.0","14.2.0-next.1","zone.js-0.11.8","14.2.0-next.0","zone.js-0.11.7","14.1.0-next.4","14.1.0-next.3","14.1.0-next.2","14.1.0-next.1","zone.js-0.11.6","14.1.0-next.0","14.0.0-next.15","14.0.0-next.14","14.0.0-next.13","14.0.0-next.12","14.0.0-next.11","14.0.0-next.10","14.0.0-next.9","14.0.0-next.8","14.0.0-next.7","14.0.0-next.6","zone.js-0.11.5","14.0.0-next.5","14.0.0-next.4","14.0.0-next.3","14.0.0-next.2","14.0.0-next.1","14.0.0-next.0","13.2.0-next.2","13.2.0-next.1","13.2.0-next.0","13.1.0-next.3","13.1.0-next.2","13.1.0-next.1","13.1.0-next.0","13.0.0-next.14","13.0.0-next.13","13.0.0-next.12","13.0.0-next.11","13.0.0-next.10","13.0.0-next.9","13.0.0-next.8","13.0.0-next.7","13.0.0-next.6","13.0.0-next.5","13.0.0-next.4","13.0.0-next.3","13.0.0-next.2","13.0.0-next.1","13.0.0-next.0","12.2.0-next.3","12.2.0-next.2","12.2.0-next.1","12.1.0","12.2.0-next.0","12.1.0-next.6","12.1.0-next.5","12.1.0-next.4","12.1.0-next.3","12.1.0-next.2","12.0.0-next.8","12.0.0-next.7","12.0.0-next.6","12.0.0-next.5","12.0.0-next.4","12.0.0-next.3","12.0.0-next.2","12.0.0-next.1","zone.js-0.11.4","12.0.0-next.0","11.1.0-next.4","11.1.0-next.3","11.1.0-next.2","11.1.0-next.1","11.1.0-next.0","zone.js-0.11.3","zone.js-0.11.2","11.0.0-next.6","11.0.0-next.5","11.0.0-next.4","11.0.0-next.3","11.0.0-next.2","11.0.0-next.1","11.0.0-next.0","10.1.0-rc.0","10.1.0-next.8","10.1.0-next.7","zone.js-0.11.0","10.1.0-next.6","10.1.0-next.5","10.1.0-next.4","10.1.0-next.3","10.1.0-next.2","10.1.0-next.1","10.1.0-next.0","10.0.0-rc.0","10.0.0-next.9","10.0.0-next.8","10.0.0-next.7","10.0.0-next.6","10.0.0-next.5","10.0.0-next.4","10.0.0-next.3","10.0.0-next.2","10.0.0-next.1","10.0.0-next.0","9.1.0-rc.0","9.1.0-next.5","zone.js-0.10.3","9.1.0-next.4","9.1.0-next.2","9.1.0-next.1","9.1.0-next.0","9.0.0-rc.1","9.0.0-rc.0","9.0.0-next.15","9.0.0-next.14","9.0.0-next.13","9.0.0-next.12","9.0.0-next.11","9.0.0-next.10","9.0.0-next.9","9.0.0-next.8","9.0.0-next.7","9.0.0-next.6","9.0.0-next.5","9.0.0-next.4","9.0.0-next.3","zone.js-0.10.2","9.0.0-next.2","9.0.0-next.1","zone.js-0.10.1","9.0.0-next.0","zone.js-0.10.0","8.2.0-next.2","8.2.0-next.1","8.2.0-next.0","8.1.0-rc.0","zone.js-0.9.2","8.1.0-next.3","8.1.0-next.2","8.1.0-next.1","8.1.0-beta.0","8.0.0-rc.0","8.0.0-beta.14","8.0.0-beta.13","8.0.0-beta.12","8.0.0-beta.11","8.0.0-beta.10","8.0.0-beta.9","8.0.0-beta.8","8.0.0-beta.7","8.0.0-beta.6","8.0.0-beta.5","8.0.0-beta.4","8.0.0-beta.3","8.0.0-beta.2","8.0.0-beta.1","8.0.0-beta.0","7.2.0","7.2.0-rc.0","7.2.0-beta.2","7.2.0-beta.1","7.1.0","7.1.0-rc.0","7.1.0-beta.2","7.1.0-beta.1","7.1.0-beta.0","7.0.0-rc.1","7.0.0-rc.0","7.0.0-beta.7","7.0.0-beta.6","7.0.0-beta.5","ngcontainer_0.5.0","7.0.0-beta.4","7.0.0-beta.3","7.0.0-beta.2","7.0.0-beta.1","ngcontainer_0.4.0","7.0.0-beta.0","6.1.0","6.1.0-rc.3","ngcontainer_0.3.3","6.1.0-beta.3","6.1.0-beta.2","6.1.0-beta.1","ngcontainer_0.3.2","6.1.0-beta.0","ngcontainer_0.3.1","ngcontainer_0.3.0","6.0.0-rc.5","6.0.0-rc.4","6.0.0-rc.3","6.0.0-rc.2","6.0.0-rc.1","6.0.0-rc.0","6.0.0-beta.8","6.0.0-beta.7","6.0.0-beta.6","6.0.0-beta.4","6.0.0-beta.3","6.0.0-beta.2","6.0.0-beta.1","6.0.0-beta.0","5.2.0","5.2.0-rc.0","5.2.0-beta.1","5.2.0-beta.0","5.1.0","5.1.0-rc.1","5.1.0-rc.0","5.1.0-beta.2","5.1.0-beta.1","5.1.0-beta.0","5.0.0-rc.4","5.0.0-rc.3","5.0.0-rc.2","5.0.0-rc.1","5.0.0-rc.0","5.0.0-beta.7","5.0.0-beta.6","5.0.0-beta.5","patch_sync","5.0.0-beta.4","5.0.0-beta.3","5.0.0-beta.2","5.0.0-beta.1","5.0.0-beta.0","4.3.0","4.3.0-rc.0","4.3.0-beta.1","4.3.0-beta.0","4.2.1","4.2.0-rc.2","4.2.0-rc.1","4.2.0-rc.0","4.2.0-beta.0","4.1.0","4.1.0-rc.0","4.1.0-beta.1","4.1.0-beta.0","4.0.0","4.0.0-rc.6","4.0.0-rc.5","4.0.0-rc.4","4.0.0-rc.3","4.0.0-rc.2","4.0.0-rc.1","4.0.0-beta.8","4.0.0-beta.7","4.0.0-beta.6","4.0.0-beta.5","4.0.0-beta.3","4.0.0-beta.2","4.0.0-beta.1","2.4.0-marker","2.3.0","4.0.0-beta.0","2.3.0-rc.0","2.3.0-beta.0","2.2.0","2.2.0-rc.0","2.2.0-beta.1","2.2.0-beta.0","2.1.0","2.1.0-rc.0","2.1.0-beta.0","2.0.0","2.0.0-rc.7","2.0.0-rc.6","2.0.0-rc.5","2.0.0-rc.4","2.0.0-rc.3","2.0.0-rc.2","2.0.0-rc.1","2.0.0-rc.0","2.0.0-beta.17","2.0.0-beta.16","2.0.0-beta.14","2.0.0-beta.13","2.0.0-beta.12","2.0.0-beta.11","2.0.0-beta.8","2.0.0-beta.7","2.0.0-beta.6","2.0.0-beta.0","2.0.0-alpha.55","2.0.0-alpha.54","2.0.0-alpha.53","2.0.0-alpha.52","2.0.0-alpha.51","2.0.0-alpha.50","2.0.0-alpha.49","2.0.0-alpha.48","2.0.0-alpha.47","2.0.0-alpha.44","2.0.0-alpha.42","2.0.0-alpha.41","2.0.0-alpha.40","2.0.0-alpha.35","2.0.0-alpha.34","2.0.0-alpha.33","2.0.0-alpha.32","2.0.0-alpha.31","2.0.0-alpha.30","2.0.0-alpha.29","2.0.0-alpha.28","2.0.0-alpha.27","2.0.0-alpha.26","2.0.0-alpha.25","2.0.0-alpha.24","2.0.0-alpha.23","2.0.0-alpha.22","2.0.0-alpha.21","2.0.0-alpha.20","2.0.0-alpha.19","2.0.0-alpha.18","2.0.0-alpha.17","2.0.0-alpha.15","2.0.0-alpha.14","2.0.0-alpha.13"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50169.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}