Missing Authentication for Critical Function in Vite - CVE-2026-39363
Published: April 8, 2026
Vulnerability identifier: #VU125312
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39363
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vite
Affected software:
Vite
Vite
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Vite dev server WebSocket fetchModule method when handling WebSocket requests that invoke fetchModule with file URLs. A remote attacker can send a specially crafted WebSocket event to disclose sensitive information.
Only applications that explicitly expose the dev server to the network and have WebSocket support enabled are affected. Exploitation requires the ability to connect to the WebSocket without an Origin header.
How to mitigate CVE-2026-39363
Install security update from vendor's website.