Mailpit - Server-Side Request Forgery (SSRF)
Advisory ID: RO-26-001
CVE ID: CVE-2026-21859
Severity: Medium
Vendor: axllent
Product: Mailpit
Version: < 1.28.0


Overview #

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.


Vulnerability Details #

Affected Versions: < 1.28.0

Location: /api/v1/proxy endpoint

Affected Parameter: url

Root Cause: The vulnerability exists due to insufficient validation of user-supplied URLs. Attackers can supply internal URLs that the server will fetch on their behalf.


Exploitation Requirements #

    No authentication required
    Direct access to the Mailpit web interface

Impact #

Remote attackers can exploit this vulnerability to:

    Access internal services (databases, APIs)
    Scan internal network resources
    Access cloud metadata endpoints (AWS, GCP, Azure)
    Potentially pivot to internal systems

Proof of Concept #

GET /api/v1/proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: mailpit.target.com



Solution #

Upgrade to Mailpit version 1.28.1 or later, which includes proper URL validation for the proxy endpoint.


References #

    GitHub Advisory
    Mailpit Release Notes

Timeline:

    [2026-01-06] - Discovered
    [2026-01-07] - Reported
    [2026-01-08] - Fixed

Credits: Omar Kurt