CVE-2026-23845
Unknown Unknown - Not Provided
Server-Side Request Forgery in Mailpit HTML Check Component

Publication date: 2026-01-19

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-05
Generated
2026-05-07
AI Q&A
2026-01-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23845
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
axllent mailpit to 1.28.3 (exc)
axllent mailpit 1.28.3
axllent mailpit to 0.0.0-20260117230009 (exc)
axllent mailpit 0.0.0-20260117230009
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-23845 is a Server-Side Request Forgery (SSRF) vulnerability in Mailpit's HTML Check API. The vulnerability occurs because the application automatically downloads external CSS files referenced in HTML emails without sufficient validation of the URLs. This allows an attacker to craft malicious HTML emails containing links to internal or sensitive network resources (such as cloud metadata endpoints). When Mailpit processes these emails, it makes server-side HTTP requests to these URLs, potentially exposing sensitive information like cloud credentials. The issue is due to insufficient URL validation and unrestricted downloading of external CSS resources. It is fixed in Mailpit version 1.28.3. [1]


How can this vulnerability impact me? :

This vulnerability can lead to sensitive data exposure by allowing attackers to induce the Mailpit server to make HTTP requests to internal or cloud metadata services. For example, attackers can retrieve cloud IAM credentials or access internal services such as Redis. This can result in credential theft or unauthorized access to internal network resources. The impact is moderate severity with a CVSS score of 5.8, involving partial confidentiality loss without affecting integrity or availability. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring HTTP requests made by the Mailpit server to external or internal URLs when processing HTML emails via the `/api/v1/message/{ID}/html-check` endpoint. Specifically, look for unexpected server-side HTTP GET requests to internal IP addresses (e.g., 169.254.169.254 or 127.0.0.1) or attacker-controlled URLs. Additionally, using the provided proof-of-concept Python script `ssrf_htmlcheck_poc.py` can help confirm exploitation by triggering the SSRF and monitoring callbacks on port 8888. Network monitoring tools like tcpdump or Wireshark can be used to capture outgoing HTTP requests from the Mailpit server. Example commands include: 1. Using tcpdump to capture HTTP traffic from the Mailpit server: `tcpdump -i <interface> tcp port 80 or tcp port 443 and host <mailpit-server-ip>` 2. Running the PoC script (if available) to simulate the attack and observe network behavior. 3. Checking Mailpit logs for error messages or logs containing URLs or IP addresses accessed during HTML Check processing. These methods help detect if the vulnerable feature is being exploited or if unexpected requests are made. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Upgrade Mailpit to version 1.28.3 or later, where the vulnerability is fixed. 2. Enable the configuration flag `BlockRemoteCSSAndFonts` to disable fetching remote CSS and font resources during HTML Check processing, preventing external HTTP requests. 3. If upgrading immediately is not possible, restrict network access from the Mailpit server to internal or sensitive IP ranges (e.g., 169.254.169.254, 127.0.0.1) using firewall rules to block outgoing HTTP requests to these addresses. 4. Monitor and audit Mailpit logs for suspicious activity related to HTML Check API usage. 5. Apply any patches or updates that implement stricter URL validation, safe HTTP client usage, and download size/content-type checks as described in the patch. These steps reduce the risk of SSRF exploitation until the fixed version is deployed. [1, 2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers to induce the Mailpit server to make HTTP requests to internal services or cloud metadata endpoints, potentially leading to sensitive data exposure such as cloud credentials. This kind of data exposure could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive information. However, the provided resources do not explicitly discuss compliance implications or specific regulatory impacts. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart