CVE-2026-28403
Received Received - Intake
WebSocket Origin Validation Bypass in Textream Teleprompter

Publication date: 2026-03-02

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28403
EUVD
EUVD-2026-9200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fka textream to 1.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28403 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the DirectorServer WebSocket server component of the Textream macOS teleprompter app. Prior to version 1.5.1, the WebSocket server listens on the local loopback interface and accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake.

This lack of origin validation allows a malicious web page opened in the same browser session to silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads. These commands can manipulate the live teleprompter content, such as replacing, updating, or stopping the teleprompter script, without user interaction.

The vulnerability arises because the server processes JSON-encoded commands without authentication or origin checks, enabling remote control of the teleprompter content by unauthorized parties.

Impact Analysis

This vulnerability can have several impacts on users running Textream in Director Mode on macOS:

  • High integrity impact: Attackers can silently replace, modify, or delete the live teleprompter script during presentations or broadcasts, potentially disrupting or manipulating the content being displayed.
  • Low confidentiality impact: Attackers can receive full DirectorState broadcasts, including the current script content, highlighted character count, and audio levels, potentially exposing sensitive information.
  • Low availability impact: Attackers can remotely stop an active live teleprompter session, causing interruptions.

The attack requires the user to visit a malicious web page in the same browser session, but no special privileges or network configuration are needed since the attack exploits the local loopback interface.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the DirectorServer WebSocket server accepting connections from any origin without validating the HTTP Origin header. Detection involves monitoring WebSocket connections to the local loopback interface (ws://127.0.0.1:<httpPort+1>, default port 7576) and checking for unauthorized or unexpected WebSocket connections or messages.

You can detect potential exploitation by observing WebSocket connections on the loopback interface and inspecting the Origin header during the WebSocket handshake. Since the vulnerable server does not validate Origin, any connection from a web page could be suspicious.

Suggested commands to detect such activity include using network monitoring or packet capture tools to filter WebSocket traffic on the loopback interface and port 7576. For example:

  • Use tcpdump or Wireshark to capture WebSocket handshake traffic on localhost port 7576: tcpdump -i lo0 port 7576 -w capture.pcap
  • Use netstat or lsof to check for active connections to the WebSocket port: netstat -an | grep 7576 or lsof -iTCP:7576 -sTCP:ESTABLISHED
  • Inspect browser developer tools (Network tab) for WebSocket connections to ws://127.0.0.1:7576 and check the Origin header in the handshake request.

Because the vulnerability requires a malicious web page to connect silently, monitoring browser activity and WebSocket connections initiated from browser sessions can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Textream to version 1.5.1 or later, where the issue is fixed.

The fix involves validating the HTTP Origin header during the WebSocket handshake to accept connections only from localhost or 127.0.0.1, and implementing a session token authentication mechanism.

  • Apply the security update that introduces a secure random authentication token generated on server start and embedded in the HTML served to clients.
  • Ensure the WebSocket server disconnects any connections that do not authenticate within a short timeout period (e.g., 5 seconds).
  • Modify client-side code to send the authentication token immediately after opening the WebSocket connection.

If upgrading immediately is not possible, restrict access to the loopback interface and monitor for suspicious WebSocket connections as a temporary measure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart