CVE-2026-22689
📋 TL;DR
Mailpit versions before 1.28.2 have a Cross-Site WebSocket Hijacking vulnerability due to missing Origin header validation. This allows malicious websites to connect to a developer's local Mailpit instance and intercept email data in real-time. Developers running Mailpit locally for email testing are primarily affected.
💻 Affected Systems
- Mailpit
📦 What is this software?
Mailpit by Axllent
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept all email content, headers, and server statistics from the victim's Mailpit instance, potentially exposing sensitive development data, credentials, or test emails containing real information.
Likely Case
Attackers capture email metadata and some content when developers visit malicious sites while Mailpit is running, compromising development/testing data.
If Mitigated
No data exposure occurs due to proper Origin validation restricting WebSocket connections to trusted sources only.
🎯 Exploit Status
Exploitation requires a developer to visit a malicious website while Mailpit is running locally. The attack is straightforward once the malicious site is visited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.28.2
Vendor Advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm
Restart Required: Yes
Instructions:
1. Stop Mailpit service. 2. Update Mailpit to version 1.28.2 or later using your package manager or by downloading from GitHub. 3. Restart Mailpit service.
🔧 Temporary Workarounds
Disable WebSocket
allDisable WebSocket functionality in Mailpit configuration to prevent the vulnerability.
Edit Mailpit config to set websocket: false or use --websocket=false flag
Use Reverse Proxy with Origin Validation
allPlace Mailpit behind a reverse proxy that validates Origin headers before forwarding WebSocket connections.
🧯 If You Can't Patch
- Run Mailpit in isolated network environments without browser access
- Use browser extensions that block WebSocket connections to localhost from external sites
🔍 How to Verify
Check if Vulnerable:
Check if Mailpit version is below 1.28.2 and WebSocket is enabled (default). Test by attempting WebSocket connection from a different origin.Check Version:
mailpit --version or check package manager versionVerify Fix Applied:
After updating to 1.28.2+, verify that WebSocket connections from unauthorized origins are rejected.📡 Detection & Monitoring
Log Indicators:
- WebSocket connection attempts from non-localhost origins
- Failed WebSocket handshakes after patch
Network Indicators:
- WebSocket traffic to port 8025 from external IPs
- Cross-origin WebSocket requests to localhost
SIEM Query:
websocket AND (dest_port:8025 OR dest_ip:127.0.0.1) AND src_ip != 127.0.0.1