#VU125312 Missing Authentication for Critical Function in Vite - CVE-2026-39363
Published: April 8, 2026
Vulnerability identifier: #VU125312
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39363
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vite
Vite
Software vendor:
Vite
Vite
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Vite dev server WebSocket fetchModule method when handling WebSocket requests that invoke fetchModule with file URLs. A remote attacker can send a specially crafted WebSocket event to disclose sensitive information.
Only applications that explicitly expose the dev server to the network and have WebSocket support enabled are affected. Exploitation requires the ability to connect to the WebSocket without an Origin header.
Remediation
Install security update from vendor's website.