CVE-2026-22689
Cross-Site WebSocket Hijacking in Mailpit Before
Publication date: 2026-01-10
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axllent | mailpit | to 1.28.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to intercept sensitive email data, including contents, headers, and sender/recipient information, in real-time without authentication. Such unauthorized disclosure of sensitive personal or confidential information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health-related data against unauthorized access and breaches. Therefore, the vulnerability poses a risk to compliance by potentially exposing protected data to attackers. [1]
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site WebSocket Hijacking (CSWSH) issue in the Mailpit WebSocket server. The server was configured to accept WebSocket connections from any origin without validating the Origin header, which bypasses the browser's Same-Origin Policy protections. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the developer's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, sender and recipient information, and server statistics in real-time. The root cause is that the CheckOrigin function in the WebSocket upgrader was set to always return true, disabling origin validation. This vulnerability was fixed by removing this unsafe override to restore proper origin checking. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a breach of confidentiality by allowing an attacker to intercept sensitive data transmitted over the WebSocket connection. Specifically, if a developer running Mailpit locally visits a malicious website, the attacker can hijack the WebSocket connection to Mailpit and access real-time email contents, headers, sender and recipient information, and server statistics without any authentication or privileges. This can expose sensitive email data and server metrics to unauthorized remote attackers, potentially compromising privacy and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Mailpit WebSocket server is accepting connections from any origin without validating the Origin header. One way to detect this is to attempt to establish a WebSocket connection from a different origin to the Mailpit WebSocket endpoint (default ws://localhost:8025/api/events) and see if the connection is accepted. For example, you can use a command-line WebSocket client or a simple JavaScript snippet in a browser console from a different origin to connect to ws://localhost:8025/api/events. If the connection succeeds without origin validation, the system is vulnerable. Additionally, inspecting the Mailpit server code or configuration for the presence of a CheckOrigin function that always returns true can confirm the vulnerability. Specific commands might include using tools like 'websocat' or 'wscat' to connect to the WebSocket endpoint from a different origin, e.g.: wscat -c ws://localhost:8025/api/events. If the connection is accepted without origin restrictions, the vulnerability exists. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Mailpit to version 1.28.2 or later, where the vulnerability has been patched. The patch removes the unsafe CheckOrigin override in the WebSocket upgrader, restoring proper Origin header validation. If upgrading is not immediately possible, a temporary mitigation is to modify the Mailpit WebSocket server configuration to implement strict origin validation logic instead of allowing all origins. Specifically, remove or disable the CheckOrigin function that always returns true, allowing the default gorilla/websocket library origin checks to apply. This prevents cross-origin WebSocket connections and blocks the Cross-Site WebSocket Hijacking attack. [1, 2]