{
  "threat_severity" : "Important",
  "public_date" : "2026-04-07T19:12:47Z",
  "bugzilla" : {
    "description" : "vite: Vite: Information disclosure via query parameter manipulation on the development server",
    "id" : "2456181",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456181"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-472",
  "details" : [ "Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.", "A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve sensitive files, including environment variables (.env) and certificate files (*.crt), which should otherwise be blocked. This information disclosure could lead to further compromise of the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24866",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-tech-preview/mcp-server-rhel9:1779783248"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "rhacs-eng/release-main",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-eda-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-gateway",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-platform-ui",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "redhat-user-workloads/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Will not fix",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "podman-desktop-macos-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "podman-desktop-windows-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/bootc-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/openshift-local-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/rhel-ext",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "vite",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/art-images",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39364\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39364\nhttps://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r" ],
  "name" : "CVE-2026-39364",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}