CVE-2026-54264: @angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

June 15, 2026

An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.

This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.

References

github.com/advisories/GHSA-qxh6-94w6-9r5p
github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08
github.com/angular/angular/pull/69029
github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p
nvd.nist.gov/vuln/detail/CVE-2026-54264

Code Behaviors & Features

Detect and mitigate CVE-2026-54264 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →