Mailpit

v1.28.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4mo Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

email-testing go mailpit pop3-server smtp-relay smtp-server

+1 more

smtp-testing

Affected surfaces

auth

Summary

AI summary

Updates Chore, https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm, and Feature across a mixed release.

Full changelog

This release includes an important security fix, so upgrading is strongly recommended.

This is a security release to address CVE-2026-22689 which allowed unauthenticated browser access to the websocket which provides the real-time web UI updates when new messages are received. A huge thanks to the security researcher (@omarkurt) who reported this issue responsibly.

Security

Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689

Feature

Allow default relay addresses to be set when releasing message (#594)

Chore

Remove webkit warnings about missing template / render functions
Avoid empty URL query parameter when returning to inbox from message view

Security Fixes

CVE-2026-22689 — Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Mailpit

Get notified when new releases ship.

About Mailpit

Email testing tool and API for developers

All releases →