CVE-2026-39363
Published: 07 April 2026
Summary
CVE-2026-39363 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-39363 by remediating the specific flaw in Vite dev server versions through patching to 6.4.2, 7.3.2, or 8.0.5.
Prevents remote exploitation (AV:N) by monitoring and controlling communications at external boundaries to block unauthorized access to the Vite dev server's WebSocket endpoint.
Protects against unauthorized disclosure of arbitrary server files via the unauthenticated WebSocket path lacking Origin header validation on publicly accessible Vite dev servers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed Vite dev server allows unauthenticated remote file read via WebSocket bypass of fs.allow controls, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for arbitrary local file disclosure.
NVD Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom…
more
WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Deeper analysisAI
CVE-2026-39363 is a vulnerability in Vite, a frontend tooling framework for JavaScript, affecting versions from 6.0.0 up to but not including 6.4.2, 7.3.2, and 8.0.5. It enables arbitrary file disclosure on the Vite development server when an attacker connects to its WebSocket endpoint without an Origin header. By sending a custom WebSocket event "vite:invoke" to trigger the fetchModule function with a file:// URL appended with ?raw or ?inline query parameters, the attacker bypasses file system access controls like server.fs.allow, which are only enforced on HTTP request paths. The contents of arbitrary server files are returned as JavaScript strings, such as export default "...".
A remote attacker with network access to the Vite dev server (AV:N) requires no privileges (PR:N) or user interaction (UI:N) to exploit this, achieving high confidentiality impact (C:H) by reading sensitive local files without affecting integrity or availability. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with associated CWEs CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-306 (Missing Authentication for Critical Function).
The issue is fixed in Vite versions 6.4.2, 7.3.2, and 8.0.5. Additional mitigation details are available in the GitHub security advisory at https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583.
Details
- CWE(s)