← Back
2026-06-22 15:39CVE-2026-50170GitHub_M
PUBLISHED5.2CWE-524

Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Problem type

Affected products

angular

angular

>= 22.0.0-next.0, < 22.0.0-rc.2 - AFFECTED

>= 21.0.0-next.0, < 21.2.15 - AFFECTED

>= 20.0.0-next.0, < 20.3.22 - AFFECTED

>= 19.0.0-next.0, < 19.2.23 - AFFECTED

<= 18.2.14 - AFFECTED

References

https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x

https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x

x_refsource_CONFIRM
https://github.com/angular/angular/pull/67964

https://github.com/angular/angular/pull/67964

x_refsource_MISC

GitHub Security Advisories

GHSA-q6f4-qqrg-jv6x

@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

https://github.com/advisories/GHSA-q6f4-qqrg-jv6x

A vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState.

However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability.

Impact

Successful exploitation allows an unauthenticated attacker to obtain sensitive, user-specific information of other authenticated users. This occurs when:

  • The SSR-rendered HTML containing the cached private data is stored in a shared cache (e.g., CDN, reverse proxy).
  • Subsequent requests for the same page receive the cached HTML containing the first user's private data.

Attack Preconditions

  • SSR and Hydration Enabled: The Angular application must be configured to use Server-Side Rendering and hydration (e.g., using provideClientHydration()).
  • Credentialed Requests during SSR: The application must perform HTTP requests that require user-specific authentication (using cookies or withCredentials: true) during the initial server-side render.
  • Shared Caching: The application's HTML responses must be cached by a shared caching layer (CDN, reverse proxy, or server-side cache) without proper cache-control headers to distinguish authenticated users.

Patches

  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23
github.com

https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x

github.com

https://github.com/angular/angular/pull/67964

github.com

https://github.com/advisories/GHSA-q6f4-qqrg-jv6x

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-50170
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-50170",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T16:01:17.572Z",
    "dateReserved": "2026-06-03T20:54:20.433Z",
    "datePublished": "2026-06-22T15:39:08.877Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T16:01:17.572Z"
      },
      "title": "Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache",
      "descriptions": [
        {
          "lang": "en",
          "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
        }
      ],
      "affected": [
        {
          "vendor": "angular",
          "product": "angular",
          "versions": [
            {
              "version": ">= 22.0.0-next.0, < 22.0.0-rc.2",
              "status": "affected"
            },
            {
              "version": ">= 21.0.0-next.0, < 21.2.15",
              "status": "affected"
            },
            {
              "version": ">= 20.0.0-next.0, < 20.3.22",
              "status": "affected"
            },
            {
              "version": ">= 19.0.0-next.0, < 19.2.23",
              "status": "affected"
            },
            {
              "version": "<= 18.2.14",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "cweId": "CWE-524",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x",
          "name": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/angular/angular/pull/67964",
          "name": "https://github.com/angular/angular/pull/67964",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}