Mailpit - Cross-Site WebSocket Hijacking (CSWSH) Advisory ID: RO-26-002 CVE ID: CVE-2026-22689 Severity: High Vendor: axllent Product: Mailpit Version: <=1.28.1 Overview # A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time. Vulnerability Details # Affected Versions: <=1.28.1 Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections. Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library. var upgrader = websocket.Upgrader{ ReadBufferSize: 1024, WriteBufferSize: 1024, CheckOrigin: func(r *http.Request) bool { return true }, EnableCompression: true, } Exploitation Requirements # No authentication required. Victim must visit a malicious website while running Mailpit locally. Impact # Remote attackers can exploit this vulnerability to: Intercept sensitive email data (subjects, bodies, recipients). Access server statistics. Receive real-time notifications of new emails. Proof of Concept # An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker. Solution # Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection. References # GHSA-524m-q5m7-79mm Timeline: [2026-01-08] - Reported [2026-01-09] - Validated [2026-01-10] - Published Credits: Omar Kurt