CVE-2026-39363
Published: 07 April 2026
Summary
CVE-2026-39363 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).
Deeper analysis
Vite is a frontend tooling framework for JavaScript that is affected by an access-control bypass vulnerability in versions 6.0.0 through 6.4.1, 7.0.0 through 7.3.1, and 8.0.0 through 8.0.4. The flaw stems from insufficient enforcement of file-system restrictions such as server.fs.allow when requests arrive over the development server’s WebSocket channel rather than ordinary HTTP; specifically, the custom vite:invoke event can invoke fetchModule with file:// URIs combined with the ?raw or ?inline query parameters, returning arbitrary server-side file contents as JavaScript strings.
An unauthenticated attacker who can reach the Vite WebSocket endpoint without an Origin header can exploit this path to read sensitive files on the server, including configuration secrets or source code that would otherwise be blocked by HTTP-layer controls. The attack requires only the ability to establish the WebSocket connection and does not need authentication or user interaction.
The vulnerability is addressed in the patched releases 6.4.2, 7.3.2, and 8.0.5, as documented in the GitHub Security Advisory GHSA-p9ff-h696-f583. No material rise in exploitation probability is indicated by the reported EPSS values.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19871
Vulnerability details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom…
more
WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed Vite dev server allows unauthenticated remote file read via WebSocket bypass of fs.allow controls, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for arbitrary local file disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-39363 by remediating the specific flaw in Vite dev server versions through patching to 6.4.2, 7.3.2, or 8.0.5.
Prevents remote exploitation (AV:N) by monitoring and controlling communications at external boundaries to block unauthorized access to the Vite dev server's WebSocket endpoint.
Protects against unauthorized disclosure of arbitrary server files via the unauthenticated WebSocket path lacking Origin header validation on publicly accessible Vite dev servers.