CVE-2026-21859
Unknown Unknown - Not Provided

SSRF Vulnerability in Mailpit /proxy Allows Internal Network Access

Vulnerability report for CVE-2026-21859, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-08

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-08
Last Modified
2026-02-02
Generated
2026-07-06
AI Q&A
2026-01-08
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
axllent mailpit to 1.28.0 (inc)
axllent mailpit 1.28.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to access internal network resources and potentially sensitive information such as internal API data, database paths, runtime statistics, and email content captured by Mailpit. This exposure could lead to unauthorized disclosure of personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA. Specifically, unauthorized access to internal services and data could violate confidentiality requirements mandated by these standards. However, the vulnerability is limited to HTTP GET requests with minimal headers, and mitigations such as basic authentication on the Mailpit web UI and API can reduce exposure risk. Overall, if exploited, this SSRF vulnerability could compromise data confidentiality and thus affect compliance with common standards and regulations. [2]

Executive Summary

CVE-2026-21859 is a Server-Side Request Forgery (SSRF) vulnerability in the Mailpit email testing tool, specifically in the /proxy endpoint of versions 1.28.0 and below. This vulnerability allows attackers to make HTTP GET requests through the proxy to internal network resources by exploiting insufficient validation of URLs. Although the endpoint validates that URLs use http:// or https:// schemes, it does not block requests to internal IP addresses, enabling attackers to access internal services and APIs that should not be exposed. The vulnerability is limited to HTTP GET requests with minimal headers and was fixed in version 1.28.1 by restricting the proxy to only allow requests for assets explicitly linked in email messages and validating content types and URLs more strictly. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform internal network scanning and access internal services that are normally protected. Attackers can retrieve sensitive information such as internal API data, database paths, runtime statistics, and email content captured by Mailpit. If Mailpit is deployed in cloud environments, attackers might access cloud instance metadata services (e.g., AWS, GCP, Azure metadata endpoints). This can lead to exposure of development environments, container escape information disclosure in containerized setups, and lateral movement within corporate networks. The vulnerability has a moderate severity with a CVSS score of 5.8 and requires no privileges or user interaction to exploit. [2]

Detection Guidance

You can detect this vulnerability by checking if your Mailpit instance is running version 1.28.0 or below and if the /proxy endpoint is accessible without authentication. To test for exploitation, you can send HTTP GET requests to the /proxy endpoint with URLs pointing to internal IP addresses or services, for example: curl -v 'http://<mailpit-host>/proxy?url=http://127.0.0.1:8025/api/v1/info'. If the response returns internal API data, the system is vulnerable. Monitoring network traffic for unusual GET requests to /proxy with internal IP addresses can also help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Mailpit to version 1.28.1 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict access to the Mailpit web UI and API, especially the /proxy endpoint, by implementing basic authentication or network-level access controls to prevent unauthorized external access. Additionally, monitor and block suspicious GET requests to the /proxy endpoint that attempt to access internal IP addresses or services. [2, 1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart