CVE-2026-39364
Published: 07 April 2026
Summary
CVE-2026-39364 is a high-severity Incorrect Behavior Order: Validate Before Canonicalize (CWE-180) vulnerability in Vitejs Vite. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of the Vite dev server flaw enabling bypass of server.fs.deny restrictions via crafted query parameters.
Enforces approved authorizations for file access, directly countering the improper access control that allows retrieval of blocked files like .env and *.crt despite deny configurations.
Validates HTTP query parameters such as ?raw or ?import&raw to prevent early validation bypasses leading to unauthorized sensitive file disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of an exposed Vite dev server (public-facing application) to bypass file access controls and retrieve sensitive local files like .env and private keys, directly mapping to T1190 for the exploitation vector and T1005 for unauthorized data collection from the local system.
NVD Description
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters…
more
such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Deeper analysisAI
CVE-2026-39364 is a vulnerability in Vite, a frontend tooling framework for JavaScript, affecting the development server in versions from 7.1.0 up to but not including 7.3.2, as well as version 8.0.5. The issue allows files that are configured to be blocked by the server.fs.deny option—such as .env files or those matching *.crt—to be retrieved via HTTP 200 responses. This bypass occurs when attackers append specific query parameters like ?raw, ?import&raw, or ?import&url&inline to requests. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-180 (Incorrect Behavior Order: Early Validation) and CWE-284 (Improper Access Control).
Remote attackers can exploit this vulnerability without authentication or user interaction by simply sending crafted HTTP requests to an exposed Vite dev server. Successful exploitation enables unauthenticated retrieval of sensitive files, potentially exposing environment variables, private keys, or other configuration data that developers intend to restrict. The high confidentiality impact makes this particularly risky for development environments inadvertently exposed to the internet or internal networks.
The official GitHub security advisory (GHSA-v2wj-q39q-566r) confirms the vulnerability and states that it is fixed in Vite versions 7.3.2 and 8.0.5. Security practitioners should upgrade affected Vite installations immediately and review server.fs.deny configurations to ensure proper file restrictions during development.
Details
- CWE(s)