CVE-2026-28403 is an origin validation error (CWE-346) affecting the Textream teleprompter app on macOS prior to version 1.5.1. The vulnerability exists in the DirectorServer WebSocket server component, which listens on a local loopback address (ws://127.0.0.1:<httpPort+1>). During the WebSocket handshake, the server fails to validate the HTTP Origin header, a critical security check that ensures only trusted origins can establish a WebSocket connection. Because of this omission, any malicious web page opened in the same browser session can silently connect to the local WebSocket server without user knowledge or explicit permission. Once connected, the attacker can send arbitrary DirectorCommand payloads, which the server processes, allowing full remote control over the teleprompter content displayed by Textream. This can lead to unauthorized manipulation of teleprompter scripts, potentially disrupting live broadcasts or presentations. The vulnerability requires user interaction in the form of visiting a malicious web page but does not require any authentication or elevated privileges. The CVSS v3.1 base score is 7.6, reflecting high severity due to the ease of exploitation over the network, lack of required privileges, and significant impact on integrity and availability. The issue was addressed in Textream version 1.5.1 by implementing proper Origin header validation during the WebSocket handshake, preventing unauthorized external web pages from establishing connections. No known exploits are currently reported in the wild. This vulnerability highlights the importance of strict origin checks in local WebSocket servers to prevent cross-origin attacks.

The primary impact of CVE-2026-28403 is unauthorized remote control over the teleprompter content in Textream, which can compromise the integrity and availability of live presentations or broadcasts relying on this software. Attackers can manipulate scripts silently, potentially causing misinformation, confusion, or disruption during critical events. Confidentiality impact is low but present, as the attacker can observe teleprompter content. The ease of exploitation—requiring only that a user visits a malicious web page—raises the risk of widespread attacks, especially in environments where users frequently browse the internet while running Textream. Organizations involved in media production, broadcasting, or public speaking that use Textream on macOS may face operational disruptions, reputational damage, and loss of audience trust. Although no exploits are known in the wild, the vulnerability's nature makes it a viable target for attackers aiming to interfere with live content delivery. The local WebSocket server's exposure to any origin without validation represents a significant security design flaw that could be leveraged in targeted or opportunistic attacks.

To mitigate CVE-2026-28403, organizations and users should immediately upgrade Textream to version 1.5.1 or later, where proper Origin header validation is implemented. Until the update is applied, users should avoid visiting untrusted or suspicious web pages in the same browser session as Textream to reduce the risk of exploitation. Network-level controls can be employed to restrict local WebSocket server access, such as firewall rules blocking inbound connections to the relevant localhost ports from browser processes or sandboxing the browser to prevent local network access. Application-level sandboxing or macOS security features (e.g., App Sandbox, firewall) should be configured to limit inter-process communication between browsers and Textream. Security awareness training should emphasize the risks of visiting malicious websites while running sensitive local applications. Developers of similar applications should audit WebSocket implementations to ensure strict Origin validation is enforced to prevent cross-origin attacks. Monitoring local WebSocket connections and logging unusual DirectorCommand payloads may help detect attempted exploitation attempts.