2456179 – (CVE-2026-39363) CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control

Bug 2456179 (CVE-2026-39363) - CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control

Summary: CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection by...

Keywords:
Status:	NEW
Alias:	CVE-2026-39363
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456270 2456271 2456272
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-07 20:02 UTC by OSIDB Bzimport
Modified:	2026-04-07 22:02 UTC (History)
CC List:	38 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-07 20:02:34 UTC

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Note You need to log in before you can comment on or make changes to this bug.

aschwart
asoldano
bbaranow
bmaxwell
boliveir
bstansbe
dlofthou
dschmidt
erezende
istudens
ivassile
iweiss
jlanda
jwong
kshier
mosmerov
mposolda
msvehla
nwallace
omaciel
pberan
pesilva
pjindal
pmackay
rmartinc
rstancel
simaishi
smaestri
smcdonal
ssilvert
stcannon
sthorger
teagle
thjenkin
ttakamiy
vdosoudi
vmuzikar
yguenane