CVE-2026-39363
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://… with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "…"). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | >= 8.0.0, < 8.0.5 | affected |
| vitejs | vite | >= 7.0.0, < 7.3.2 | affected |
| vitejs | vite | >= 6.0.0, < 6.4.2 | affected |
| vitejs | vite-plus | < 0.1.16 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-306: CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
Vite: Vite: Information disclosure via WebSocket connection bypasses access control
Additional References
- https://access.redhat.com/security/cve/CVE-2026-39363
- https://bugzilla.redhat.com/show_bug.cgi?id=2456179
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39363.json
- https://access.redhat.com/errata/RHSA-2026:24761
- https://access.redhat.com/errata/RHSA-2026:24762
- https://access.redhat.com/errata/RHSA-2026:24866
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.