Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27808 is a Server-Side Request Forgery (SSRF) vulnerability in the Mailpit email testing tool, specifically in its Link Check API endpoint (/api/v1/message/{ID}/link-check). Prior to version 1.29.2, the API performs HTTP HEAD requests on every URL found in an email without validating or filtering the target hosts, allowing requests to internal, private, or link-local IP addresses.'}, {'type': 'paragraph', 'content': "Because Mailpit's default configuration has no authentication on SMTP or API services and binds to all interfaces, this vulnerability is remotely exploitable without any user interaction. The API returns HTTP status codes and status text for each link, making it a non-blind SSRF, which means attackers get direct feedback from internal network requests."}, {'type': 'paragraph', 'content': 'The vulnerability allows attackers to make HTTP requests to internal network resources, including loopback addresses, private IP ranges, link-local addresses, and cloud metadata endpoints, potentially bypassing network segmentation and accessing sensitive internal services.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform unauthorized internal network scanning and service fingerprinting through the vulnerable Mailpit Link Check API. Attackers can access internal IP addresses and services that are normally protected from external access.

Because the API returns detailed HTTP status codes and status text for each link, attackers receive direct feedback about the existence and status of internal services, which can be used to further exploit or gather intelligence about your internal network.

If your Mailpit instance is publicly accessible without authentication, attackers can remotely exploit this vulnerability without any user interaction, increasing the risk of internal network exposure.

Potential impacts include unauthorized access to internal services, exposure of sensitive metadata (such as cloud provider metadata endpoints), and bypassing network segmentation controls.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing if the Mailpit Link Check API (/api/v1/message/{ID}/link-check) is making HTTP HEAD requests to internal or private IP addresses without validation or filtering. Since the API returns HTTP status codes and status text for each link, you can detect exploitation attempts by monitoring these requests targeting internal IP ranges such as loopback (127.0.0.0/8), private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and multicast addresses.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can monitor HTTP HEAD requests originating from the Mailpit server to internal IP addresses. Network monitoring tools or packet capture utilities like tcpdump or Wireshark can be used to capture such traffic.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP HEAD requests from the Mailpit server to internal IP ranges, for example: tcpdump -i <interface> 'tcp[tcpflags] & tcp-push != 0 and dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 or dst net 127.0.0.0/8'"}, {'type': 'list_item', 'content': 'Check Mailpit API logs for requests to /api/v1/message/{ID}/link-check and analyze the returned HTTP status codes and URLs to identify requests to internal or private IP addresses.'}, {'type': 'list_item', 'content': 'Send test emails containing links to internal IP addresses (e.g., http://127.0.0.1:8081/ssrf-proof) and trigger the Link Check API to observe if the server performs HTTP HEAD requests to these internal URLs and returns their status codes.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Mailpit to version 1.29.2 or later, which includes a fix that blocks internal HTTP requests by default in the Link Check API and screenshot proxy features.

This fix introduces a configuration flag `--allow-internal-http-requests` (environment variable `MP_ALLOW_INTERNAL_HTTP_REQUESTS=true`) that is disabled by default to prevent SSRF attacks by blocking requests to internal IP addresses such as loopback, private, link-local, multicast, unspecified, and reserved IP ranges.

If upgrading immediately is not possible, you should restrict access to the Mailpit API and SMTP services by enabling authentication or limiting network exposure to trusted users only, to reduce the risk of remote exploitation.

Additionally, review and update any test suites or automation that rely on the Link Check API probing internal resources, as the new default behavior blocks such requests unless explicitly enabled.

Useful 0 Not Useful 0