Vulners
Lucene search
📄 Mailpit 1.28.1 Cross Site WebSocket Hijacking
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | CVE-2026-22689 | 9 Jan 202621:03 | – | circl |
 | Mailpit 安全漏洞 | 10 Jan 202600:00 | – | cnnvd |
 | CVE-2026-22689 | 10 Jan 202605:46 | – | cve |
 | CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails | 10 Jan 202605:46 | – | cvelist |
 | mail/mailpit -- Cross-Site WebSocket Hijacking | 10 Jan 202600:00 | – | freebsd |
 | EUVD-2026-1872 | 13 Jan 202615:11 | – | euvd |
 | FreeBSD : mail/mailpit -- Cross-Site WebSocket Hijacking (d822839e-ee4f-11f0-b53e-0897988a1c07) | 11 Jan 202600:00 | – | nessus |
 | Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails | 13 Jan 202615:11 | – | github |
 | CVE-2026-22689 | 10 Jan 202606:15 | – | nvd |
 | CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails | 10 Jan 202605:46 | – | osv |
10
Mailpit - Cross-Site WebSocket Hijacking (CSWSH)
Advisory ID: RO-26-002
CVE ID: CVE-2026-22689
Severity: High
Vendor: axllent
Product: Mailpit
Version: <=1.28.1
Overview #
A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Vulnerability Details #
Affected Versions: <=1.28.1
Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.
Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool {
return true
},
EnableCompression: true,
}
Exploitation Requirements #
No authentication required.
Victim must visit a malicious website while running Mailpit locally.
Impact #
Remote attackers can exploit this vulnerability to:
Intercept sensitive email data (subjects, bodies, recipients).
Access server statistics.
Receive real-time notifications of new emails.
Proof of Concept #
An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.
Solution #
Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.
References #
GHSA-524m-q5m7-79mm
Timeline:
[2026-01-08] - Reported
[2026-01-09] - Validated
[2026-01-10] - Published
Credits: Omar KurtData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Feb 2026 00:00Current
5.1Medium risk
Vulners AI Score5.1
CVSS 3.16.5
EPSS0.00012
SSVC