Cross-Site WebSocket Hijacking Vulnerability in Mailpit Email Testing Tool
CVE-2026-22689

6.5MEDIUM

Key Information:

Vendor: Axllent
Status: Mailpit
Vendor: CVE Published:; 10 January 2026

What is CVE-2026-22689?

The Mailpit email testing tool, prior to version 1.28.2, is susceptible to a Cross-Site WebSocket Hijacking vulnerability due to improper configuration of its WebSocket server. This flaw allows attackers to exploit the lack of Origin header validation. By hosting a malicious website, an attacker can initiate a WebSocket connection to a developer's local Mailpit instance. As a result, sensitive information such as email contents, headers, and server statistics can be intercepted in real-time, posing significant security risks for developers using Mailpit in their testing environment. This issue has been addressed in version 1.28.2.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mailpit < 1.28.2

References

https://github.com/axllent/mailpit/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/axllent/mailpit/commit/6f1f4f34c98989f...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Jan 8, 2026

JSON

Axllent