{
  "threat_severity" : "Important",
  "public_date" : "2026-04-07T19:10:44Z",
  "bugzilla" : {
    "description" : "Vite: Vite: Information disclosure via WebSocket connection bypasses access control",
    "id" : "2456179",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456179"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-1220",
  "details" : [ "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default \"...\"). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.", "A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerability by connecting to the Vite development server's WebSocket without an Origin header. This allows the attacker to invoke the fetchModule function, enabling them to retrieve the contents of arbitrary files on the server. This information disclosure can lead to unauthorized access to sensitive data." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24761",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "automation-gateway-0:2.5.20260422-3.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24761",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "automation-gateway-0:2.5.20260422-3.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24762",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "automation-platform-ui-0:2.6.9-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24866",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-tech-preview/mcp-server-rhel9:1779783248"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "rhacs-eng/release-main",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-eda-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Will not fix",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "podman-desktop-macos-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "podman-desktop-windows-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/bootc-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/openshift-local-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Will not fix",
    "package_name" : "redhat-user-workloads/rhel-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/art-images",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39363\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39363\nhttps://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583" ],
  "name" : "CVE-2026-39363",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}