CVE-2026-22689
CVE-2026-22689 is a medium-severity vulnerability in Axllent Mailpit with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1385.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (11th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-1872
- Weakness: CWE-1385
- Affected product: Axllent Mailpit
- Published:
- Last modified:
Description
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Frequently asked questions
- What is CVE-2026-22689?
- Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
- How severe is CVE-2026-22689?
- CVE-2026-22689 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-22689 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-22689?
- CVE-2026-22689 affects Axllent Mailpit. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-22689?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-22689 have an EU (EUVD) identifier?
- Yes. CVE-2026-22689 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-1872.
- When was CVE-2026-22689 published?
- CVE-2026-22689 was published on 2026-01-10 and last updated on 2026-06-17.
References
- https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f
- https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm
Affected products (1)
- cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*
More vulnerabilities in Axllent Mailpit
- CVE-2026-27808 — Medium (CVSS 5.8): Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API…
- CVE-2026-23845 — Medium (CVSS 5.8): Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request…
- CVE-2026-21859 — Medium (CVSS 5.8): Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery…
- CVE-2026-23829 — Medium (CVSS 5.3): Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable…
All CVEs affecting Axllent Mailpit →
Other CWE-1385 vulnerabilities
- CVE-2024-23168 — Critical (CVSS 9.8): Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the…
- CVE-2025-24964 — Critical (CVSS 9.6): Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when…
- CVE-2024-48849 — Critical (CVSS 9.4): Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent…
- CVE-2025-52882 — High (CVSS 8.8): Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and…
- CVE-2026-34403 — High (CVSS 8.1): Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui…
- CVE-2025-54289 — High (CVSS 8.1): Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read…