Missing Authentication for Critical Function in vite | CVE-2026-39363

Q: How to fix?

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-VITE-15922242
published7 Apr 2026
disclosed6 Apr 2026
creditodgrso, CodeAnt-AI-Security, tronglinh23

Report a new vulnerability Found a mistake?

Introduced: 6 Apr 2026

NewCVE-2026-39363 (opens in a new tab) CWE-306 (opens in a new tab)

How to fix?

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 or higher.

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enabled. An attacker can access arbitrary files on the server by connecting to the WebSocket without an Origin header and invoking fetchModule with a crafted file URL, thereby retrieving sensitive file contents as JavaScript modules.

Note:

This is only exploitable if the development server is started with network exposure (such as using --host or the server.host configuration) and WebSocket is not disabled.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authentication for Critical Function Affecting vite package, versions >=6.0.0 <6.4.2>=7.0.0 <7.3.2>=8.0.0 <8.0.5

Severity