{"id":38574,"date":"2026-02-02T13:42:34","date_gmt":"2026-02-02T13:42:34","guid":{"rendered":"http:\/\/localhost\/?p=38574"},"modified":"2026-02-02T13:42:34","modified_gmt":"2026-02-02T13:42:34","slug":"mailpit-1281-cross-site-websocket-hijacking","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=38574","title":{"rendered":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780"},"content":{"rendered":"

{“lastseen”:”2026-02-02T18:36:23″,”description”:”A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time…”,”published”:”2026-02-02T00:00:00″,”modified”:”2026-02-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking”,”source”:””,”references”:””,”id”:”PACKETSTORM:214780″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22689″],”sourceData”:”Mailpit – Cross-Site WebSocket Hijacking (CSWSH)\\n Advisory ID: RO-26-002\\n CVE ID: CVE-2026-22689\\n Severity: High\\n Vendor: axllent\\n Product: Mailpit\\n Version: \\u003c=1.28.1\\n \\n \\n Overview #\\n \\n A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.\\n \\n \\n Vulnerability Details #\\n \\n Affected Versions: \\u003c=1.28.1\\n \\n Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.\\n \\n Vulnerable Code: The vulnerability exists in server\/websockets\/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla\/websocket library.\\n \\n var upgrader = websocket.Upgrader{\\n ReadBufferSize: 1024,\\n WriteBufferSize: 1024,\\n CheckOrigin: func(r *http.Request) bool {\\n return true\\n },\\n EnableCompression: true,\\n }\\n \\n \\n \\n Exploitation Requirements #\\n \\n No authentication required.\\n Victim must visit a malicious website while running Mailpit locally.\\n \\n Impact #\\n \\n Remote attackers can exploit this vulnerability to:\\n \\n Intercept sensitive email data (subjects, bodies, recipients).\\n Access server statistics.\\n Receive real-time notifications of new emails.\\n \\n Proof of Concept #\\n \\n An attacker can host a malicious website that establishes a WebSocket connection to the victim’s Mailpit instance (e.g., ws:\/\/localhost:8025\/api\/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.\\n \\n \\n Solution #\\n \\n Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library’s default protection.\\n \\n \\n References #\\n \\n GHSA-524m-q5m7-79mm\\n \\n Timeline:\\n \\n [2026-01-08] – Reported\\n [2026-01-09] – Validated\\n [2026-01-10] – Published\\n \\n Credits: Omar Kurt”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214780″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214780\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-02T18:36:23″,”description”:”A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-38574","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=38574\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-02T18:36:23″,”description”:”A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=38574\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-02T13:42:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780\",\"datePublished\":\"2026-02-02T13:42:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574\"},\"wordCount\":486,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-6.5\",\"exploit\",\"MEDIUM\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38574#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574\",\"name\":\"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-02T13:42:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38574\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38574#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=38574","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem","og_description":"{“lastseen”:”2026-02-02T18:36:23″,”description”:”A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email...","og_url":"https:\/\/zero.redgem.net\/?p=38574","og_site_name":"zero redgem","article_published_time":"2026-02-02T13:42:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=38574#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=38574"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780","datePublished":"2026-02-02T13:42:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=38574"},"wordCount":486,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-6.5","exploit","MEDIUM","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=38574#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=38574","url":"https:\/\/zero.redgem.net\/?p=38574","name":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-02T13:42:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=38574#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=38574"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=38574#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Mailpit 1.28.1 Cross Site WebSocket Hijacking_PACKETSTORM:214780"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38574"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38574\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}