Vite Dev Server File Retrieval via ?raw, Fixed in 7.3.2/8.0.5
CVE-2026-39364 Published on April 7, 2026

Vite has a `server.fs.deny` bypass with queries
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

NVD

Vulnerability Analysis

CVE-2026-39364 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-39364. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-39364 has been classified to as an Authorization vulnerability or weakness.

What is an Assumed-Immutable Parameter Tampering Vulnerability?

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

CVE-2026-39364 has been classified to as an Assumed-Immutable Parameter Tampering vulnerability or weakness.


Products Associated with CVE-2026-39364

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-39364 are published in these products:

 
 
 
 
 
 
 
 

Affected Versions

vitejs vite: vitejs vite-plus: Red Hat Ansible Automation Platform 2.6: Red Hat Ansible Automation Platform 2: Red Hat Build of Keycloak: Red Hat Build of Podman Desktop: Red Hat Build of Podman Desktop - Tech Preview: Red Hat OpenShift Container Platform 4: Red Hat Advanced Cluster Security 4: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack:

Exploit Probability

EPSS
1.72%
Percentile
74.52%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.