CVE-2026-47429 Sumo Logic CSE · Sumo

Detect CVE-2026-47429: Vitest UI Server Arbitrary File Read and Execution in Sumo Logic CSE

CVE-2026-47429 is a critical missing authorization vulnerability (CWE-862, CVSS 9.8) in the Vitest UI server. When the Vitest UI server is listening, unauthenticated remote attackers can read arbitrary files from the filesystem and execute arbitrary code. Affected versions include Vitest < 3.2.6 and >= 4.0.0, < 4.1.0. A public proof-of-concept exists. Exploitation typically involves sending crafted WebSocket or HTTP requests to the Vitest UI server's RPC endpoint to traverse the filesystem or trigger code execution via the browser plugin's file system command handlers.

MITRE ATT&CK

Tactic
Initial Access Credential Access Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=* (node OR vitest)
| where _raw matches "(?i)(vitest.*--ui|vitest ui|@vitest/ui)"
| parse regex field=_raw "(?P<file_path>[/\\][^\s"']+(?:\.env|id_rsa|id_ed25519|\.pem|shadow|passwd|credentials|secrets)[^\s"']*)" nodrop
| parse regex field=_raw "(?P<source_ip>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)" nodrop
| parse regex field=_raw "(?:port|:)\s*(?P<dest_port>5120[34]|5173|5174|4173)" nodrop
| eval is_sensitive_access = if(!isNull(file_path) AND file_path != "", "true", "false")
| eval is_remote_access = if(!isNull(source_ip) AND source_ip != "127.0.0.1" AND source_ip != "::1" AND !isNull(dest_port), "true", "false")
| where is_sensitive_access = "true" OR is_remote_access = "true"
| eval alert_type = if(is_sensitive_access = "true" AND is_remote_access = "true", "Critical: Remote exploit with sensitive file access",
    if(is_sensitive_access = "true", "High: Sensitive file accessed via Vitest",
    "Medium: Remote connection to Vitest UI port"))
| count by _sourceHost, alert_type, file_path, source_ip
| order by _count desc
critical severity medium confidence

Sumo Logic query correlating Vitest UI server log events involving sensitive file path access or remote connections to Vitest default ports, surfacing potential CVE-2026-47429 exploitation.

Data Sources

Application LogsSystem LogsNode.js Process Logs

Required Tables

_sourceCategory

False Positives & Tuning

  • Development environments with verbose logging where Vitest accesses config files normally
  • Shared development servers where multiple users run Vitest UI simultaneously
  • Log aggregation systems that collect Vitest output from containerized CI pipelines
  • Security testing frameworks that probe Vitest endpoints as part of DAST scanning

Other platforms for CVE-2026-47429

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47429 - Vitest UI Arbitrary File Read via RPC

    Expected signal: Network connection from external IP to port 5173; node process file open event for /etc/passwd; WebSocket upgrade request in proxy logs

  2. Test 2CVE-2026-47429 - Vitest UI Credential File Exfiltration Simulation

    Expected signal: Sequence of file open events for multiple sensitive paths initiated by node process; multiple WebSocket messages to Vitest UI port within short timeframe

  3. Test 3CVE-2026-47429 - Vitest UI Remote Code Execution via Test Execution

    Expected signal: Child process spawned by node with shell command arguments; file creation event at /tmp/vitest-rce-proof.txt; Sysmon Event ID 1 for child process of node.exe/node

Last updated: 2026-06-21 Research depth: standard
References (8)

Unlock Pro Content

Get the full detection package for CVE-2026-47429 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1059.007JavaScriptT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections