Share
## https://sploitus.com/exploit?id=PACKETSTORM:214780
Mailpit - Cross-Site WebSocket Hijacking (CSWSH)
    Advisory ID: RO-26-002
    CVE ID: CVE-2026-22689
    Severity: High
    Vendor: axllent
    Product: Mailpit
    Version: <=1.28.1
    
    
    Overview #
    
    A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.
    
    
    Vulnerability Details #
    
    Affected Versions: <=1.28.1
    
    Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.
    
    Vulnerable Code: The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
    
    var upgrader = websocket.Upgrader{
        ReadBufferSize:  1024,
        WriteBufferSize: 1024,
        CheckOrigin: func(r *http.Request) bool {
            return true
        },
        EnableCompression: true,
    }
    
    
    
    Exploitation Requirements #
    
        No authentication required.
        Victim must visit a malicious website while running Mailpit locally.
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Intercept sensitive email data (subjects, bodies, recipients).
        Access server statistics.
        Receive real-time notifications of new emails.
    
    Proof of Concept #
    
    An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.
    
    
    Solution #
    
    Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.
    
    
    References #
    
        GHSA-524m-q5m7-79mm
    
    Timeline:
    
        [2026-01-08] - Reported
        [2026-01-09] - Validated
        [2026-01-10] - Published
    
    Credits: Omar Kurt