Mailpit - Server-Side Request Forgery (SSRF)

Advisory ID: RO-26-001
CVE ID: CVE-2026-21859
Severity: Medium
Vendor: axllent
Product: Mailpit
Version: < 1.28.0

Overview #

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

Vulnerability Details #

Affected Versions: < 1.28.0

Location: /api/v1/proxy endpoint

Affected Parameter: url

Root Cause: The vulnerability exists due to insufficient validation of user-supplied URLs. Attackers can supply internal URLs that the server will fetch on their behalf.

Exploitation Requirements #

  • No authentication required
  • Direct access to the Mailpit web interface

Impact #

Remote attackers can exploit this vulnerability to:

  • Access internal services (databases, APIs)
  • Scan internal network resources
  • Access cloud metadata endpoints (AWS, GCP, Azure)
  • Potentially pivot to internal systems

Proof of Concept #

GET /api/v1/proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: mailpit.target.com

Solution #

Upgrade to Mailpit version 1.28.1 or later, which includes proper URL validation for the proxy endpoint.

References #

Timeline:

  • [2026-01-06] - Discovered
  • [2026-01-07] - Reported
  • [2026-01-08] - Fixed

Credits: Omar Kurt