CVE-2026-28403
Published: 02 March 2026
Summary
CVE-2026-28403 is a high-severity Origin Validation Error (CWE-346) vulnerability in Fka Textream. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a malicious webpage (visited via social engineering) to silently open a cross-origin WebSocket to the localhost DirectorServer and send arbitrary commands; this exactly matches the Drive-by Compromise (T1189) initial-access technique.
NVD Description
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser…
more
session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Deeper analysisAI
CVE-2026-28403 affects Textream, a free macOS teleprompter application prior to version 1.5.1. The vulnerability resides in the DirectorServer WebSocket server, which listens on ws://127.0.0.1:<httpPort+1> and accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. This misconfiguration, mapped to CWE-346 (Origin Validation Error), enables cross-origin WebSocket connections and has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).
An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page within the same browser session as the Textream app. The malicious page can silently establish a WebSocket connection to the local DirectorServer and transmit arbitrary DirectorCommand payloads, granting full remote control over the teleprompter's content. No privileges are required beyond user interaction, making it accessible to remote attackers via social engineering.
The GitHub security advisory (GHSA-wr3v-x247-337w) and the fixing commit (f5ebad82750b9313386c34af8f0ede50c213a8a0) confirm that updating to Textream version 1.5.1 resolves the issue by implementing proper Origin header validation during the WebSocket handshake. Security practitioners should advise users to update the application immediately and consider monitoring for unexpected WebSocket traffic on localhost ports.
Details
- CWE(s)