Description
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Published: 2026-01-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated real‑time interception of email contents via WebSocket hijacking.
Action: Apply Patch
AI Analysis

Impact

A local installation of the email testing tool Mailpit is vulnerable to Cross‑Site WebSocket Hijacking because the server accepts connections from any origin. This flaw allows a malicious website to force a developer to open a WebSocket to the local Mailpit instance; the attacker can then read every email, header, and statistic streamed by the server in real time. No authentication is required, and the data is not obfuscated, so attackers obtain full confidentiality of all traffic sent through the server.

Affected Systems

The vulnerability affects the axllent Mailpit product. Versions earlier than 1.28.2 are impacted, including any build that incorporates the pre‑1.28.2 WebSocket server configuration that does not validate the Origin header. Newer releases from 1.28.2 onward have the fix.

Risk and Exploitability

CVSS scoring of 6.5 indicates a medium severity; the EPSS score of <1% implies a low likelihood of exploitation in the wild. The flaw is not listed as a known exploited vulnerability in the KEV catalog. Attackers can exploit the issue by hosting a malicious page that a developer inadvertently visits while running Mailpit locally, establishing an unauthenticated WebSocket connection and harvesting sensitive data. The attack requires no prior access and leverages the lack of Origin validation on the server.

Generated by OpenCVE AI on April 18, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mailpit to version 1.28.2 or newer to enforce Origin header validation.
  • If an upgrade is not immediately possible, restrict the WebSocket endpoint to the localhost interface only and block incoming connections from external sources using a firewall or host‑based access controls.
  • Consider disabling the WebSocket API entirely in environments where Mailpit runs in production or on untrusted networks.

Generated by OpenCVE AI on April 18, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-524m-q5m7-79mm Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
History

Wed, 18 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Axllent
Axllent mailpit
CPEs cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*
Vendors & Products Axllent
Axllent mailpit

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 06:00:00 +0000

Type Values Removed Values Added
Description Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Title Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Weaknesses CWE-1385
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Axllent Mailpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:47:34.722Z

Reserved: 2026-01-08T19:23:09.854Z

Link: CVE-2026-22689

cve-icon Vulnrichment

Updated: 2026-01-12T16:47:32.112Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T06:15:51.900

Modified: 2026-02-18T17:45:58.373

Link: CVE-2026-22689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses