Latest Tech

Latest Posts

Mailpit 1.28.1 Cross Site WebSocket Hijacking

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 123
Mailpit 1.28.1 Cross Site WebSocket Hijacking
Mailpit 1.28.1 Cross Site WebSocket Hijacking
Mailpit 1.28.1 Cross Site WebSocket Hijacking

Mailpit - Cross-Site WebSocket Hijacking Mailpit 1.28.1 Cross Site WebSocket Hijacking

Mailpit - Cross-Site WebSocket Hijacking (CSWSH)
Advisory ID: RO-26-002
CVE ID: CVE-2026-22689
Severity: High
Vendor: axllent
Product: Mailpit
Version: <=1.28.1


Overview #

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.


Vulnerability Details #

Affected Versions: <=1.28.1

Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.

Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.

var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool {
return true
},
EnableCompression: true,
}



Exploitation Requirements #

No authentication required.
Victim must visit a malicious website while running Mailpit locally.

Impact #

Remote attackers can exploit this vulnerability to:

Intercept sensitive email data (subjects, bodies, recipients).
Access server statistics.
Receive real-time notifications of new emails.

Proof of Concept #

An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.


Solution #

Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.


References #

GHSA-524m-q5m7-79mm

Timeline:

[2026-01-08] - Reported
[2026-01-09] - Validated
[2026-01-10] - Published

Credits: Omar Kurt

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.