Nuxt: Four Vulnerabilities Including File Read and Open Redirects Disclosed Together
Four Nuxt vulnerabilities, including arbitrary file read and open redirects, disclosed together on June 22-23, 2026, patched in versions 4.4.7 and 3.21.7.

Key findings
- Four vulnerabilities disclosed in Nuxt framework between June 22-23, 2026.
- Includes arbitrary file read (CVE-2026-56301) via world-connectable IPC socket on Linux dev servers.
- Two open redirect flaws (CVE-2026-56698, CVE-2026-56326) in
navigateTofunction. - Open redirect via protocol-relative paths in
reloadNuxtApp(CVE-2026-56697). - All issues fixed in Nuxt 4.4.7 and 3.21.7.
On June 22-23, 2026, a batch of four vulnerabilities was disclosed in Nuxt, a popular Node.js framework for creating Vue.js applications. The vulnerabilities, affecting Nuxt versions 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, span across arbitrary file reads, cross-site scripting (XSS), and open redirect flaws. These issues were disclosed close together, highlighting a significant security event for Nuxt developers and users.
One of the critical vulnerabilities, CVE-2026-56301, allows for arbitrary file reads via a world-connectable vite-node IPC socket on Linux systems when the development server (nuxt dev) is running. This occurs because the IPC server binds to an abstract-namespace Unix socket without proper permission restrictions, enabling local, unprivileged users to access sensitive files.
Two related vulnerabilities, CVE-2026-56698 and CVE-2026-56326, involve open redirect flaws within the navigateTo function. CVE-2026-56698 specifically targets client-side script execution by failing to validate script-capable URLs in the navigateTo open option, allowing attackers to inject javascript: URLs. CVE-2026-56326, on the other hand, is a server-side open redirect that bypasses external-host checks using path-normalization techniques, enabling redirection to attacker-controlled sites.
Additionally, CVE-2026-56697 presents another open redirect vulnerability, this time via protocol-relative paths in the reloadNuxtApp function. While these paths pass script-protocol checks, they resolve to cross-origin URLs against the current page's protocol, allowing attackers to redirect users to malicious domains by injecting paths like //evil.com.
All reported vulnerabilities have been addressed in Nuxt versions 4.4.7 and 3.21.7. Users are strongly advised to update to these patched versions to mitigate the risks associated with arbitrary file reads, XSS, and open redirects. The coordinated disclosure of these issues underscores the importance of timely patching for Nuxt applications, particularly those running development servers or handling user-controlled input in navigation functions.
The timely patching of these vulnerabilities is crucial for maintaining the security posture of Nuxt-based applications. Developers should ensure their projects are updated to the latest secure versions to prevent potential exploitation of these disclosed weaknesses. The close timing of these disclosures suggests a focused effort to address these specific security concerns within the Nuxt framework.