CVE-2026-22689

Mailpit Stop: Crashing the Localhost Party with CVE-2026-22689

Alon Barad
Alon Barad
Software Engineer

Jan 13, 2026·6 min read·9 visits

Executive Summary (TL;DR)

A critical flaw in Mailpit's WebSocket configuration disabled Origin validation. This allows any website visited by a developer to open a WebSocket connection to their local Mailpit instance (usually `ws://localhost:8025`). Attackers can read all captured emails—password resets, 2FA codes, and PII—in real-time. The fix is a one-line code deletion that restores default security checks.

Mailpit, the beloved email testing tool for developers, inadvertently left the back door open to the entire internet. Through a Cross-Site WebSocket Hijacking (CSWSH) vulnerability, remote attackers could siphon sensitive emails directly from a developer's localhost environment simply by convincing them to visit a malicious webpage.

Official Patches

MailpitRelease 1.28.2

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Probability
0.01%
Top 100% most exploited

Affected Systems

Mailpit < 1.28.2

Affected Versions Detail

Product
Affected Versions
Fixed Version
Mailpit
axllent
< 1.28.21.28.2
AttributeDetail
CWE IDCWE-1385
Attack VectorNetwork (CSWSH)
CVSS Score6.5 (Medium)
ImpactConfidentiality (High)
EPSS Score0.00015
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1041Exfiltration Over C2 Channel
Exfiltration
T1557Adversary-in-the-Middle
Credential Access
CWE-1385
Missing Origin Validation in WebSockets

Missing Origin Validation in WebSockets

Known Exploits & Detection

GitHubOfficial advisory with reproduction steps

Vulnerability Timeline

Vulnerability Disclosed
2026-01-10
Patch Released (v1.28.2)
2026-01-10
NVD Analysis Completed
2026-01-13

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.