Improper access control in vitest - CVE-2026-47429
Published: May 22, 2026
Vulnerability identifier: #VU132148
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-47429
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vitest
Affected software:
vitest
vitest
Detailed vulnerability description
The vulnerability allows a remote attacker to read arbitrary files and execute arbitrary code.
The vulnerability exists due to improper access control in the Vitest UI server API and Browser Mode file operation endpoints when handling crafted API requests to exposed file read, write, and rerun functionality. A remote attacker can send specially crafted requests to read arbitrary files and execute arbitrary code.
On Windows, the file-serving check can be bypassed using a crafted path such as \\?\\..\\. Only instances that expose the Vitest UI server to the network or run the Vitest UI or Browser Mode on Windows are affected.
How to mitigate CVE-2026-47429
Install security update from vendor's website.