CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-39363

CVE-2026-39363: Arbitrary File Read via WebSocket Authorization Bypass in Vite

Alon Barad
Alon Barad
Software Engineer

Apr 8, 2026·7 min read·82 visits

Executive Summary (TL;DR)

A flaw in Vite's WebSocket channel allows unauthenticated attackers to read arbitrary files by bypassing `server.fs.allow` checks via the `fetchModule` RPC endpoint.

Vite development server exposes a WebSocket-based RPC channel that fails to apply filesystem access restrictions present in the standard HTTP middleware. Unauthenticated attackers with network access to the dev server can exploit this disparity to read arbitrary files from the host filesystem.

Vulnerability Overview

CVE-2026-39363 is an arbitrary file read vulnerability affecting the development server of the Vite frontend framework. The core issue resides in the Vite DevEnvironment WebSocket communication layer, which handles Hot Module Replacement (HMR) and Server-Side Rendering (SSR) module requests. This WebSocket endpoint lacks the strict filesystem authorization boundaries enforced by Vite's standard HTTP middleware.

Vite intentionally restricts filesystem access during development using the server.fs.allow configuration directive. This mechanism prevents HTTP requests from retrieving arbitrary files outside the defined project workspace. However, the custom RPC protocol operating over the WebSocket connection does not natively inherit these validations, creating an authorization disparity.

An unauthenticated network attacker can leverage this disparity by sending custom vite:invoke messages to the WebSocket endpoint. By targeting the internal fetchModule method, the attacker forces the Vite transformation pipeline to retrieve and process arbitrary files on the host filesystem.

The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-306 (Missing Authentication for Critical Function). Exploitation requires network reachability to the Vite development server, but it does not require authentication or user interaction. Successful exploitation results in the exposure of sensitive source code, configuration files, and system data.

Root Cause Analysis

The root cause of CVE-2026-39363 is a misplaced authorization boundary within the Vite server architecture. Security checks validating file paths against the server.fs.allow list were implemented at the HTTP middleware layer. Because the WebSocket transport bypasses this middleware, the RPC endpoints exposed over the WebSocket channel operated without filesystem access restrictions.

Vite implements a custom RPC-like protocol over WebSockets to facilitate module loading. Clients communicate with the server by sending JSON payloads specifying a message type and event. When the server receives a message with type: 'custom' and event: 'vite:invoke', it routes the request directly to exported functions on the DevEnvironment object, such as fetchModule.

The fetchModule method accepts a file ID and processes it through the Vite plugin pipeline to return the transformed module code. In vulnerable versions, fetchModule blindly trusted the provided file ID. It assumed the requesting client was authorized to read the specified file, relying on the false premise that path validation had occurred earlier in the request lifecycle.

Attackers abuse this pipeline by supplying a raw file URI (e.g., file:///etc/passwd). Appending specific query parameters like ?raw or ?inline to the URI directs Vite's transformation engine to treat the file as plain text. The server reads the file content from disk, wraps it in an export default JavaScript declaration, and returns it to the attacker over the WebSocket connection.

Architecture and Attack Vector Diagram

The following diagram illustrates the architectural disparity between the secured HTTP middleware pathway and the vulnerable WebSocket RPC pathway.

This flowchart demonstrates how the WebSocket transport fundamentally circumvented the security mechanisms intended to protect the filesystem.

Code Analysis

The primary remediation for CVE-2026-39363 is implemented in commit f02d9fde0b195afe3ea2944414186962fbbe41e0. The Vite maintainers resolved the structural flaw by moving the filesystem access validation down the stack. Instead of relying on the transport layer (HTTP middleware), the validation logic now resides within the core loadAndTransform logic.

This commit introduces a skipFsCheck property on the HotChannel transport layer. For network-exposed transports like WebSockets, this property defaults to false. When fetchModule invokes the loading pipeline, the system now enforces the checkLoadingAccess function directly, ensuring the file path complies with server.fs.allow regardless of the original transport mechanism.

A subsequent commit, a9a3df299378d9cbc5f069e3536a369f8188c8ff, hardens the validation against query parameter manipulation. Attackers previously bypassed rudimentary checks by appending trailing characters that altered path resolution. The patched code invokes checkLoadingAccess twice: once before stripping query parameters and once after.

Finally, the configuration was updated to explicitly disable fetchModule for the default client development environment via disableFetchModule: true. This drastically reduces the attack surface by shutting down the vulnerable RPC endpoint entirely in environments where it is not strictly required for HMR operations.

Exploitation Methodology

Exploiting this vulnerability requires network connectivity to the target Vite development server. The server typically listens on port 5173. The attacker begins by opening a standard WebSocket connection to the root path and negotiating the vite-hmr subprotocol. No authentication headers or tokens are required.

Once the connection is established, the attacker sends a specially crafted JSON payload. The payload structure mimics legitimate Vite internal communication, defining the message type as custom and the event as vite:invoke. Within the data object, the attacker specifies the target method fetchModule and provides a tracking ID.

{
  "type": "custom",
  "event": "vite:invoke",
  "data": {
    "name": "fetchModule",
    "id": "exploit_req_1",
    "data": ["file:///etc/passwd?raw"]
  }
}

The most critical component of the payload is the target file URI. The attacker leverages the file:// protocol and appends the ?raw query parameter. This specific parameter combination instructs Vite's plugin pipeline to bypass standard JavaScript compilation and instead read the raw bytes of the target file.

The Vite server processes the request and responds with a matching JSON object containing the transformed code. The attacker extracts the file contents from the exported default string within the response payload.

{
  "type": "custom",
  "event": "vite:invoke",
  "data": {
    "id": "response:exploit_req_1",
    "data": {
      "code": "export default \"root:x:0:0:root:/root:/bin/bash\\n...\""
    }
  }
}

Impact Assessment

The vulnerability carries a high severity rating due to the complete loss of confidentiality on the affected host. An attacker can read any file that the Vite development server process has permission to access. This capability extends beyond the project workspace and allows the exfiltration of sensitive files across the entire local filesystem.

In typical development environments, the most critical targets are environment variable files (e.g., .env, .env.local). These files routinely contain production database credentials, third-party API keys, and cloud provider authentication tokens. Access to these secrets frequently facilitates immediate lateral movement and privilege escalation into cloud infrastructure.

The CVSS v4.0 base score is 8.2. The metric string (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects the network-based attack vector, low attack complexity, and the complete lack of required privileges or user interaction. The impact is strictly isolated to confidentiality; integrity and availability are unaffected.

This vulnerability is confined to the development server. Production builds generated by Vite (static assets) do not include the vulnerable server component. However, development environments erroneously exposed to public networks, or local environments accessible via cross-site WebSocket hijacking (CSWSH) from malicious websites, remain highly susceptible.

Remediation and Mitigation

The definitive remediation for CVE-2026-39363 is upgrading the Vite package to a patched release. Development teams must update their dependencies to Vite versions 6.4.2, 7.3.2, or 8.0.5, corresponding to their current major version track. Related packages, such as vite-plus, must also be updated to their secure counterparts (e.g., >= 0.1.16).

If an immediate upgrade is not feasible, restrict network access to the development server. Vite binds to localhost (127.0.0.1) by default, which prevents remote exploitation. Administrators must audit startup scripts and configuration files to ensure the --host flag is not used to expose the server on 0.0.0.0 or public interfaces unless deployed in a strictly isolated, authenticated VPN environment.

As a defense-in-depth measure, environments utilizing WebSockets should strictly validate the Origin header. While this specific CVE bypasses filesystem authorization checks, enforcing origin restrictions at the proxy or reverse-proxy level mitigates the risk of Cross-Site WebSocket Hijacking attacks targeting developers traversing the public internet.

Finally, development teams must verify that Vite development servers are never deployed into production environments. Continuous integration and deployment pipelines should enforce policies that reject builds attempting to initiate the Vite dev server rather than serving the compiled static output.

Official Patches

Vitejs GitHub AdvisoryOfficial GitHub Security Advisory for CVE-2026-39363

Fix Analysis (3)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Systems

Vite Dev ServerVite HMR WebSocket Channelvite-plus module loader

Affected Versions Detail

Product
Affected Versions
Fixed Version
vite
Vitejs
>= 6.0.0, < 6.4.26.4.2
vite
Vitejs
>= 7.0.0, < 7.3.27.3.2
vite
Vitejs
>= 8.0.0, < 8.0.58.0.5
vite-plus
Vitejs
< 0.1.160.1.16
AttributeDetail
CWE IDCWE-200, CWE-306
Attack VectorNetwork (WebSocket)
CVSS v4.08.2
ImpactHigh Confidentiality (Arbitrary File Read)
Exploit StatusProof of Concept (PoC) available
CISA KEVNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1005Data from Local System
Collection
T1552Unsecured Credentials
Credential Access
CWE-200
Exposure of Sensitive Information

Exposure of Sensitive Information to an Unauthorized Actor

Vulnerability Timeline

Technical fix commits pushed to GitHub.
2026-04-06
Patched versions (6.4.2, 7.3.2, 8.0.5) released.
2026-04-06
Official CVE-2026-39363 and GHSA-p9ff-h696-f583 published.
2026-04-07

References & Sources

  • [1]GHSA-p9ff-h696-f583 Security Advisory
  • [2]Primary Fix Commit f02d9fde
  • [3]Query Parameter Bypass Fix Commit a9a3df29
  • [4]Sourcemap Vector Fix Commit f05f5017
  • [5]Related Secondary Patch Commit

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
10 views•5 min read
•about 12 hours ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
8 views•7 min read
•about 13 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
10 views•8 min read
•about 13 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 14 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
5 views•5 min read
•about 14 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
6 views•5 min read