Vite WebSocket RCE via vite:invoke pre6.4.2, pre7.3.2, pre8.0.5
CVE-2026-39363 Published on April 7, 2026

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev servers WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

NVD

Vulnerability Analysis

CVE-2026-39363 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-39363 has been classified to as an Information Disclosure vulnerability or weakness.

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.


Products Associated with CVE-2026-39363

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-39363 are published in these products:

 
 
 
 
 
 
 
 
 
 

Affected Versions

vitejs vite: vitejs vite-plus: Red Hat Ansible Automation Platform 2.5 for RHEL 8: Red Hat Ansible Automation Platform 2.5 for RHEL 9: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat Ansible Automation Platform 2.6: Red Hat Ansible Automation Platform 2: Red Hat Build of Keycloak: Red Hat Build of Podman Desktop: Red Hat Build of Podman Desktop - Tech Preview: Red Hat OpenShift Container Platform 4: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat Advanced Cluster Security 4: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack:

Exploit Probability

EPSS
2.29%
Percentile
80.96%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.