CVE-2026-50169

CVE-2026-50169 is a medium-severity security vulnerability in @angular/service-worker (npm), affecting versions >= 22.0.0-next.0, < 22.0.0-rc.2. It is fixed in 22.0.0-rc.2, 20.3.22, 19.2.23, 21.2.15.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function.

During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy.

If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes.

Attack Preconditions

To successfully exploit this vulnerability, all of the following application states and parameters must concurrently exist:

  1. Active Angular Service Worker: The target application uses @angular/service-worker and has an active registration of ngsw-worker.js inside the client's browser context.
  2. Asset Group Matching: An assetGroups pattern in ngsw-config.json encompasses the target dynamic routing endpoint.
  3. Same-Origin Dynamic Redirection: The server routes a public matched asset route to a service that returns an HTTP 3xx redirect pointing to a sensitive, session-restricted same-origin private route (e.g., /private/account-summary.json).
  4. Established User Session: The victim user currently has an active authentication state, such as valid same-origin session cookies or auth headers stored by the browser.
  5. Client-Side Safe Fetch Call: The application initiates an explicit fetch request to the route with safety parameters: { redirect: 'error' }.

Mitigations & Workarounds

If upgrading the @angular/service-worker package is not immediately feasible, developers should implement the following defensive measures:

  • Avoid Public-to-Private Dynamic Redirection: Refactor the server architecture so that public paths matched by service worker asset groups never issue HTTP 3xx redirects to authenticated same-origin secure endpoints.
  • Strict Cookie Configuration: Apply strict flags to session cookies (SameSite=Strict; Secure; HttpOnly) and consider explicit route isolations (such as subdomains) for credential-guarded private resources.
  • Exclude Secure Endpoints from SW Config: Verify your ngsw-config.json settings and ensure that patterns targeting dynamic, secure endpoints are explicitly excluded from automatic asset groups or caching scopes.

Impact

Web applications registering the @angular/service-worker package are vulnerable to this redirect-policy bypass if they make safe client-side fetch calls (such as { redirect: 'error' }) to paths matched by a service worker asset group (such as lazy-loaded JavaScript bundles or dynamic public assets) that can return HTTP redirects to authenticated same-origin secure endpoints.

By stripping developer-defined safety boundaries, the service worker allows the browser to transparently query and return data from credentials-guarded resources that should have been blocked at the network barrier.

CVE-2026-50169 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (22.0.0-rc.2, 20.3.22, 19.2.23, 21.2.15); upgrading removes the vulnerable code path.

Affected versions

@angular/service-worker (>= 22.0.0-next.0, < 22.0.0-rc.2) @angular/service-worker (>= 20.0.0-next.0, < 20.3.22) @angular/service-worker (>= 19.0.0-next.0, < 19.2.23) @angular/service-worker (<= 18.2.14) @angular/service-worker (>= 21.0.0-next.0, < 21.2.15)

Security releases

@angular/service-worker → 22.0.0-rc.2 (npm) @angular/service-worker → 20.3.22 (npm) @angular/service-worker → 19.2.23 (npm) @angular/service-worker → 21.2.15 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

Frequently Asked Questions

  1. What is CVE-2026-50169? CVE-2026-50169 is a medium-severity security vulnerability in @angular/service-worker (npm), affecting versions >= 22.0.0-next.0, < 22.0.0-rc.2. It is fixed in 22.0.0-rc.2, 20.3.22, 19.2.23, 21.2.15.
  2. How severe is CVE-2026-50169? CVE-2026-50169 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @angular/service-worker are affected by CVE-2026-50169? @angular/service-worker (npm) versions >= 22.0.0-next.0, < 22.0.0-rc.2 is affected.
  4. Is there a fix for CVE-2026-50169? Yes. CVE-2026-50169 is fixed in 22.0.0-rc.2, 20.3.22, 19.2.23, 21.2.15. Upgrade to this version or later.
  5. Is CVE-2026-50169 exploitable, and should I be worried? Whether CVE-2026-50169 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-50169 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-50169?
    • Upgrade @angular/service-worker to 22.0.0-rc.2 or later
    • Upgrade @angular/service-worker to 20.3.22 or later
    • Upgrade @angular/service-worker to 19.2.23 or later
    • Upgrade @angular/service-worker to 21.2.15 or later

Other vulnerabilities in @angular/service-worker

Stop the waste.
Protect your environment with Kodem.