Skip to main content

CWE-1385

Missing Origin Validation in WebSockets

26 CVEs Avg CVSS 7.0 MITRE
4
CRITICAL
9
HIGH
11
MEDIUM
1
LOW
8
POC
0
KEV

Monthly

CVE-2026-59804 HIGH POC PATCH This Week

Cross-origin WebSocket session hijacking in Midscene Bridge Server through version 1.10.3 lets any web page a victim visits connect to the locally running Socket.IO server without an Origin check or authentication token, seizing the tool's single-client slot. Once connected, a remote attacker can intercept and inject browser-automation commands, exfiltrate command-payload data, or unconditionally kill the server via the MIDSCENE_BRIDGE_SIGNAL_KILL query parameter. Publicly available exploit code exists (reported by VulnCheck) and a vendor patch is available (commit 86f4118); no active exploitation has been confirmed.

Authentication Bypass Midscene
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-57111 HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-10054 HIGH PATCH This Week

Cross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web page reach the unauthenticated /services shell-terminal RPC namespace and execute arbitrary OS commands on the victim's host. The flaw stems from fail-open Origin validation in @theia/core combined with a client-controllable fix-origin header, so simply luring a developer running Theia to a malicious site yields remote code execution. There is no public exploit identified at time of analysis, and CVSS is rated 8.8 (High) driven by the user-interaction-only barrier.

Information Disclosure Eclipse Theia
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-44514 Go MEDIUM PATCH GHSA This Month

Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.

Kubernetes Microsoft Docker Information Disclosure Google +1
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34403 Go MEDIUM PATCH GHSA This Month

nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Nginx
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-35589 HIGH This Week

Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.

Information Disclosure Nanobot
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-27977 npm MEDIUM PATCH This Month

CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1692 MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-68930 HIGH POC This Week

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]

Authentication Bypass Traccar
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-56647 npm MEDIUM PATCH This Month

farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).

Node.js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Cross-origin WebSocket session hijacking in Midscene Bridge Server through version 1.10.3 lets any web page a victim visits connect to the locally running Socket.IO server without an Origin check or authentication token, seizing the tool's single-client slot. Once connected, a remote attacker can intercept and inject browser-automation commands, exfiltrate command-payload data, or unconditionally kill the server via the MIDSCENE_BRIDGE_SIGNAL_KILL query parameter. Publicly available exploit code exists (reported by VulnCheck) and a vendor patch is available (commit 86f4118); no active exploitation has been confirmed.

Authentication Bypass Midscene
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web page reach the unauthenticated /services shell-terminal RPC namespace and execute arbitrary OS commands on the victim's host. The flaw stems from fail-open Origin validation in @theia/core combined with a client-controllable fix-origin header, so simply luring a developer running Theia to a malicious site yields remote code execution. There is no public exploit identified at time of analysis, and CVSS is rated 8.8 (High) driven by the user-interaction-only barrier.

Information Disclosure Eclipse Theia
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.

Kubernetes Microsoft Docker +3
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.

Information Disclosure Nanobot
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Pcvue
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]

Authentication Bypass Traccar
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).

Node.js
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy