Executive Summary

A high-severity vulnerability, CVE-2026-22689, has been disclosed in the Mailpit email testing tool. The flaw, a Cross-Site WebSocket Hijacking (CSWSH), affects all versions of Mailpit prior to 1.28.2. The vulnerability allows an unauthenticated, remote attacker to establish a WebSocket connection to a user's local Mailpit instance. By luring a developer running the tool to a malicious website, an attacker can intercept all emails and server statistics being processed by Mailpit in real-time. This could lead to the exposure of sensitive information, credentials, or intellectual property contained within development emails. The vulnerability has a CVSS 3.1 score of 6.5 (Medium), and a patch is available.

Vulnerability Details

The root cause of CVE-2026-22689 is the Mailpit WebSocket server's failure to validate the Origin header of incoming connection requests. WebSockets are not bound by the Same-Origin Policy that typically restricts HTTP requests, and instead rely on the server to check the Origin header to ensure connections are coming from a trusted domain. In vulnerable versions of Mailpit, this check was missing.

Attack Scenario

1. A developer is running a vulnerable version of Mailpit on their local machine, which by default listens on localhost:8025.
2. An attacker creates a malicious website containing JavaScript code designed to connect to ws://localhost:8025.
3. The developer is tricked into visiting the attacker's website (e.g., through a phishing link).
4. The JavaScript on the malicious site successfully establishes a WebSocket connection to the developer's local Mailpit instance. Because the Origin header is not checked, the connection is allowed.
5. The attacker can now send WebSocket commands to the Mailpit instance to subscribe to new emails and receive all data passing through the tool, including email content, headers, and attachments.

This attack is a classic example of T1189 - Drive-by Compromise, where the user's browser is used as a proxy to attack a service running on their local machine.

Affected Systems

• Product: Mailpit
• Affected Versions: All versions prior to 1.28.2.

Exploitation Status

There is no public information about active exploitation of this vulnerability in the wild. However, now that the vulnerability is publicly disclosed, the risk of exploitation is significantly higher, as attackers may begin scanning for developers discussing their use of the tool and targeting them.

Impact Assessment

The impact of this vulnerability depends entirely on the data being handled by Mailpit at the time of exploitation. For developers testing applications, this could include:

• Confidential Information: Test emails containing sensitive customer data, financial information, or business logic.
• Credentials: Password reset emails, account activation links, or API keys sent during testing.
• Intellectual Property: Content from new product features or internal communications being tested.

While the CVSS score is 6.5 (Medium) due to the requirement for user interaction, the impact on confidentiality can be high if sensitive data is intercepted.

Detection Methods

Detecting exploitation of this vulnerability is difficult from a user's perspective. However, developers could potentially detect it through:

• Browser Developer Tools: Checking the 'Network' tab for unexpected WebSocket connections to localhost:8025 originating from unknown websites.
• Local Network Monitoring: Using tools to monitor local network traffic for connections to port 8025 from browser processes visiting suspicious domains.

Remediation Steps

The vulnerability has been addressed by the developer.

1. Upgrade Immediately: All users of Mailpit should upgrade to version 1.28.2 or later. The patched version correctly validates the Origin header, preventing connections from untrusted websites.
2. Verification: After upgrading, users can verify the fix by attempting to connect to their local Mailpit instance from a simple HTML file served from a different origin (file:// or another local server). The connection should be rejected.
3. Workaround (Not Recommended): If upgrading is not immediately possible, users could configure a local firewall to block incoming connections to port 8025 from all applications except those that legitimately need to connect. This is a temporary and less reliable solution.

This vulnerability underscores the importance of secure coding practices, even for developer tools, and the need for developers to keep their entire toolchain up to date, aligning with M1051 - Update Software.