📄 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Description

A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time...

Visit Original Source

Basic Information

ID PACKETSTORM:214780

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions Mailpit - Cross-Site WebSocket Hijacking (CSWSH)
Advisory ID: RO-26-002
CVE ID: CVE-2026-22689
Severity: High
Vendor: axllent
Product: Mailpit
Version: <=1.28.1

Overview #

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.

Vulnerability Details #

Affected Versions: <=1.28.1

Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.

Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.

var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool {
return true
},
EnableCompression: true,
}

Exploitation Requirements #

No authentication required.
Victim must visit a malicious website while running Mailpit locally.

Impact #

Remote attackers can exploit this vulnerability to:

Intercept sensitive email data (subjects, bodies, recipients).
Access server statistics.
Receive real-time notifications of new emails.

Proof of Concept #

An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.

Solution #

Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.

References #

GHSA-524m-q5m7-79mm

Timeline:

[2026-01-08] - Reported
[2026-01-09] - Validated
[2026-01-10] - Published

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:36:23",
    "description": "A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214780",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-22689"
    ],
    "sourceData": "Mailpit - Cross-Site WebSocket Hijacking (CSWSH)\n    Advisory ID: RO-26-002\n    CVE ID: CVE-2026-22689\n    Severity: High\n    Vendor: axllent\n    Product: Mailpit\n    Version: <=1.28.1\n    \n    \n    Overview #\n    \n    A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: <=1.28.1\n    \n    Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.\n    \n    Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.\n    \n    var upgrader = websocket.Upgrader{\n        ReadBufferSize:  1024,\n        WriteBufferSize: 1024,\n        CheckOrigin: func(r *http.Request) bool {\n            return true\n        },\n        EnableCompression: true,\n    }\n    \n    \n    \n    Exploitation Requirements #\n    \n        No authentication required.\n        Victim must visit a malicious website while running Mailpit locally.\n    \n    Impact #\n    \n    Remote attackers can exploit this vulnerability to:\n    \n        Intercept sensitive email data (subjects, bodies, recipients).\n        Access server statistics.\n        Receive real-time notifications of new emails.\n    \n    Proof of Concept #\n    \n    An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.\n    \n    \n    Solution #\n    \n    Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.\n    \n    \n    References #\n    \n        GHSA-524m-q5m7-79mm\n    \n    Timeline:\n    \n        [2026-01-08] - Reported\n        [2026-01-09] - Validated\n        [2026-01-10] - Published\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214780",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214780/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply