Executive Summary

CVE-2026-23845 is a Server-Side Request Forgery (SSRF) vulnerability in Mailpit's HTML Check API. The vulnerability occurs because the application automatically downloads external CSS files referenced in HTML emails without sufficient validation of the URLs. This allows an attacker to craft malicious HTML emails containing links to internal or sensitive network resources (such as cloud metadata endpoints). When Mailpit processes these emails, it makes server-side HTTP requests to these URLs, potentially exposing sensitive information like cloud credentials. The issue is due to insufficient URL validation and unrestricted downloading of external CSS resources. It is fixed in Mailpit version 1.28.3. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to sensitive data exposure by allowing attackers to induce the Mailpit server to make HTTP requests to internal or cloud metadata services. For example, attackers can retrieve cloud IAM credentials or access internal services such as Redis. This can result in credential theft or unauthorized access to internal network resources. The impact is moderate severity with a CVSS score of 5.8, involving partial confidentiality loss without affecting integrity or availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests made by the Mailpit server to external or internal URLs when processing HTML emails via the `/api/v1/message/{ID}/html-check` endpoint. Specifically, look for unexpected server-side HTTP GET requests to internal IP addresses (e.g., 169.254.169.254 or 127.0.0.1) or attacker-controlled URLs. Additionally, using the provided proof-of-concept Python script `ssrf_htmlcheck_poc.py` can help confirm exploitation by triggering the SSRF and monitoring callbacks on port 8888. Network monitoring tools like tcpdump or Wireshark can be used to capture outgoing HTTP requests from the Mailpit server. Example commands include: 1. Using tcpdump to capture HTTP traffic from the Mailpit server: `tcpdump -i <interface> tcp port 80 or tcp port 443 and host <mailpit-server-ip>` 2. Running the PoC script (if available) to simulate the attack and observe network behavior. 3. Checking Mailpit logs for error messages or logs containing URLs or IP addresses accessed during HTML Check processing. These methods help detect if the vulnerable feature is being exploited or if unexpected requests are made. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1. Upgrade Mailpit to version 1.28.3 or later, where the vulnerability is fixed. 2. Enable the configuration flag `BlockRemoteCSSAndFonts` to disable fetching remote CSS and font resources during HTML Check processing, preventing external HTTP requests. 3. If upgrading immediately is not possible, restrict network access from the Mailpit server to internal or sensitive IP ranges (e.g., 169.254.169.254, 127.0.0.1) using firewall rules to block outgoing HTTP requests to these addresses. 4. Monitor and audit Mailpit logs for suspicious activity related to HTML Check API usage. 5. Apply any patches or updates that implement stricter URL validation, safe HTTP client usage, and download size/content-type checks as described in the patch. These steps reduce the risk of SSRF exploitation until the fixed version is deployed. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to induce the Mailpit server to make HTTP requests to internal services or cloud metadata endpoints, potentially leading to sensitive data exposure such as cloud credentials. This kind of data exposure could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive information. However, the provided resources do not explicitly discuss compliance implications or specific regulatory impacts. [1]

Useful 0 Not Useful 0