CVE-2026-39363: CVE-2026-39363: Arbitrary File Read via WebSocket Authorization Bypass in Vite

CVE-2026-39363: Arbitrary File Read via WebSocket Authorization Bypass in Vite

Vulnerability ID: CVE-2026-39363
CVSS Score: 8.2
Published: 2026-04-07

Vite development server exposes a WebSocket-based RPC channel that fails to apply filesystem access restrictions present in the standard HTTP middleware. Unauthenticated attackers with network access to the dev server can exploit this disparity to read arbitrary files from the host filesystem.

TL;DR

A flaw in Vite's WebSocket channel allows unauthenticated attackers to read arbitrary files by bypassing server.fs.allow checks via the fetchModule RPC endpoint.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-200, CWE-306
• Attack Vector: Network (WebSocket)
• CVSS v4.0: 8.2
• Impact: High Confidentiality (Arbitrary File Read)
• Exploit Status: Proof of Concept (PoC) available
• CISA KEV: Not Listed

Affected Systems

• Vite Dev Server
• Vite HMR WebSocket Channel
• vite-plus module loader
• vite: >= 6.0.0, < 6.4.2 (Fixed in: 6.4.2)
• vite: >= 7.0.0, < 7.3.2 (Fixed in: 7.3.2)
• vite: >= 8.0.0, < 8.0.5 (Fixed in: 8.0.5)
• vite-plus: < 0.1.16 (Fixed in: 0.1.16)

Code Analysis

Commit: f02d9fd

Migrates server.fs checks into loadAndTransform logic and disables fetchModule for default dev environment.

Commit: a9a3df2

Ensures checkLoadingAccess is called before and after stripping query parameters to prevent bypasses.

Commit: f05f501

Addresses secondary vector regarding malicious sourcemaps in node_modules pointing outside package boundary.

Mitigation Strategies

• Upgrade Vite to the latest patched version based on the active release train.
• Ensure the Vite development server binds only to localhost.
• Validate WebSocket Origin headers via reverse proxy or WAF where applicable.
• Ensure development servers are strictly prohibited from production environments.

Remediation Steps:

1. Audit project dependencies to identify the active Vite version.
2. Run package manager update commands to install version 6.4.2, 7.3.2, or 8.0.5.
3. Update related ecosystem packages such as vite-plus to version 0.1.16 or higher.
4. Review package.json scripts and vite.config.js to verify the '--host' flag is removed or restricted.

References

• GHSA-p9ff-h696-f583 Security Advisory
• Primary Fix Commit f02d9fde
• Query Parameter Bypass Fix Commit a9a3df29
• Sourcemap Vector Fix Commit f05f5017
• Related Secondary Patch Commit

---

Read the full report for CVE-2026-39363 on our website for more details including interactive diagrams and full exploit analysis.