CVE-2026-28403
WebSocket Origin Validation Bypass in Textream Teleprompter
Publication date: 2026-03-02
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fka | textream | to 1.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28403 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the DirectorServer WebSocket server component of the Textream macOS teleprompter app. Prior to version 1.5.1, the WebSocket server listens on the local loopback interface and accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake.
This lack of origin validation allows a malicious web page opened in the same browser session to silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads. These commands can manipulate the live teleprompter content, such as replacing, updating, or stopping the teleprompter script, without user interaction.
The vulnerability arises because the server processes JSON-encoded commands without authentication or origin checks, enabling remote control of the teleprompter content by unauthorized parties.
How can this vulnerability impact me? :
This vulnerability can have several impacts on users running Textream in Director Mode on macOS:
- High integrity impact: Attackers can silently replace, modify, or delete the live teleprompter script during presentations or broadcasts, potentially disrupting or manipulating the content being displayed.
- Low confidentiality impact: Attackers can receive full DirectorState broadcasts, including the current script content, highlighted character count, and audio levels, potentially exposing sensitive information.
- Low availability impact: Attackers can remotely stop an active live teleprompter session, causing interruptions.
The attack requires the user to visit a malicious web page in the same browser session, but no special privileges or network configuration are needed since the attack exploits the local loopback interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the DirectorServer WebSocket server accepting connections from any origin without validating the HTTP Origin header. Detection involves monitoring WebSocket connections to the local loopback interface (ws://127.0.0.1:<httpPort+1>, default port 7576) and checking for unauthorized or unexpected WebSocket connections or messages.
You can detect potential exploitation by observing WebSocket connections on the loopback interface and inspecting the Origin header during the WebSocket handshake. Since the vulnerable server does not validate Origin, any connection from a web page could be suspicious.
Suggested commands to detect such activity include using network monitoring or packet capture tools to filter WebSocket traffic on the loopback interface and port 7576. For example:
- Use tcpdump or Wireshark to capture WebSocket handshake traffic on localhost port 7576: tcpdump -i lo0 port 7576 -w capture.pcap
- Use netstat or lsof to check for active connections to the WebSocket port: netstat -an | grep 7576 or lsof -iTCP:7576 -sTCP:ESTABLISHED
- Inspect browser developer tools (Network tab) for WebSocket connections to ws://127.0.0.1:7576 and check the Origin header in the handshake request.
Because the vulnerability requires a malicious web page to connect silently, monitoring browser activity and WebSocket connections initiated from browser sessions can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Textream to version 1.5.1 or later, where the issue is fixed.
The fix involves validating the HTTP Origin header during the WebSocket handshake to accept connections only from localhost or 127.0.0.1, and implementing a session token authentication mechanism.
- Apply the security update that introduces a secure random authentication token generated on server start and embedded in the HTML served to clients.
- Ensure the WebSocket server disconnects any connections that do not authenticate within a short timeout period (e.g., 5 seconds).
- Modify client-side code to send the authentication token immediately after opening the WebSocket connection.
If upgrading immediately is not possible, restrict access to the loopback interface and monitor for suspicious WebSocket connections as a temporary measure.