CVE-2026-28403 is an origin validation error categorized under CWE-346 affecting the Textream teleprompter application for macOS. The vulnerability exists in the DirectorServer WebSocket server component, which listens on a local loopback address (ws://127.0.0.1:<httpPort+1>). Prior to version 1.5.1, this WebSocket server fails to validate the HTTP Origin header during the WebSocket handshake process. The Origin header is a critical security control that ensures only trusted web pages can establish WebSocket connections. Without this validation, any malicious web page opened in the same browser session can silently connect to the local WebSocket server. Once connected, the attacker can send arbitrary DirectorCommand payloads, which control the teleprompter content remotely. This could allow manipulation or disruption of the teleprompter's displayed text, potentially causing misinformation or operational disruption during presentations or broadcasts. The vulnerability does not require any authentication or elevated privileges, but exploitation requires the user to visit a malicious web page, making user interaction necessary. The CVSS v3.1 base score is 7.6 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and significant impact on integrity and some impact on confidentiality and availability. The issue was publicly disclosed and fixed in Textream version 1.5.1, which implements proper Origin header validation to restrict WebSocket connections to trusted sources only.

The vulnerability allows attackers to remotely control the teleprompter content on affected macOS systems running Textream versions prior to 1.5.1. This can lead to misinformation during live presentations or broadcasts, undermining the integrity of the content displayed. Confidentiality is moderately impacted as an attacker could potentially infer or manipulate displayed text. Availability impact is low but present, as the teleprompter could be disrupted or rendered unusable. Organizations relying on Textream for professional or public-facing presentations risk reputational damage, misinformation dissemination, and operational disruption. Since exploitation requires user interaction (visiting a malicious web page), targeted phishing or watering hole attacks could be used to compromise specific high-value targets. The vulnerability is particularly concerning in environments where teleprompter content integrity is critical, such as media companies, government communications, and corporate presentations.

Immediate upgrade of Textream to version 1.5.1 or later is the primary mitigation, as this version includes proper Origin header validation. Until upgrade, organizations should restrict access to untrusted web content on systems running vulnerable versions to reduce the risk of malicious web pages establishing WebSocket connections. Employ browser security controls such as disabling or limiting WebSocket connections from untrusted origins, using browser extensions or policies that block suspicious scripts, and educating users about the risks of visiting untrusted websites. Network-level controls can also be implemented to restrict loopback WebSocket connections if feasible. Monitoring local WebSocket server activity for unusual connections or commands may help detect exploitation attempts. Finally, organizations should consider alternative teleprompter solutions if immediate patching is not possible.