Detection Guidance

You can detect this vulnerability by checking if your Mailpit instance is running version 1.28.0 or below and if the /proxy endpoint is accessible without authentication. To test for exploitation, you can send HTTP GET requests to the /proxy endpoint with URLs pointing to internal IP addresses or services, for example: curl -v 'http://<mailpit-host>/proxy?url=http://127.0.0.1:8025/api/v1/info'. If the response returns internal API data, the system is vulnerable. Monitoring network traffic for unusual GET requests to /proxy with internal IP addresses can also help detect exploitation attempts. [2]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-21859 is a Server-Side Request Forgery (SSRF) vulnerability in the Mailpit email testing tool, specifically in the /proxy endpoint of versions 1.28.0 and below. This vulnerability allows attackers to make HTTP GET requests through the proxy to internal network resources by exploiting insufficient validation of URLs. Although the endpoint validates that URLs use http:// or https:// schemes, it does not block requests to internal IP addresses, enabling attackers to access internal services and APIs that should not be exposed. The vulnerability is limited to HTTP GET requests with minimal headers and was fixed in version 1.28.1 by restricting the proxy to only allow requests for assets explicitly linked in email messages and validating content types and URLs more strictly. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to perform internal network scanning and access internal services that are normally protected. Attackers can retrieve sensitive information such as internal API data, database paths, runtime statistics, and email content captured by Mailpit. If Mailpit is deployed in cloud environments, attackers might access cloud instance metadata services (e.g., AWS, GCP, Azure metadata endpoints). This can lead to exposure of development environments, container escape information disclosure in containerized setups, and lateral movement within corporate networks. The vulnerability has a moderate severity with a CVSS score of 5.8 and requires no privileges or user interaction to exploit. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Mailpit to version 1.28.1 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict access to the Mailpit web UI and API, especially the /proxy endpoint, by implementing basic authentication or network-level access controls to prevent unauthorized external access. Additionally, monitor and block suspicious GET requests to the /proxy endpoint that attempt to access internal IP addresses or services. [2, 1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to access internal network resources and potentially sensitive information such as internal API data, database paths, runtime statistics, and email content captured by Mailpit. This exposure could lead to unauthorized disclosure of personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA. Specifically, unauthorized access to internal services and data could violate confidentiality requirements mandated by these standards. However, the vulnerability is limited to HTTP GET requests with minimal headers, and mitigations such as basic authentication on the Mailpit web UI and API can reduce exposure risk. Overall, if exploited, this SSRF vulnerability could compromise data confidentiality and thus affect compliance with common standards and regulations. [2]

Useful 0 Not Useful 0