CVE-2026-55187
Received Received - Intake

Mailpit IPv6 Address Bypass in Link Check API

Vulnerability report for CVE-2026-55187, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms or prefixes such as NAT64, 6to4, IPv4-compatible IPv6, ISATAP, fec0::/10, and 2001:db8::/32. An attacker who can deliver email and invoke POST /api/v1/message/{ID}/link-check can coerce the Link Check API's safeDialContext path into dialing internal destinations and can use status-code and error feedback to map internal service reachability, including cloud metadata endpoints. This issue is fixed in version 1.30.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mailpit mailpit to 1.30.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Mailpit, an email testing tool and API for developers. Before version 1.30.2, the tool's deny-list for internal IP addresses was incomplete because it relied on Go's standard library classification helpers, which did not block certain IPv6 transition mechanisms and prefixes such as NAT64, 6to4, IPv4-compatible IPv6, ISATAP, fec0::/10, and 2001:db8::/32.

An attacker who can deliver email and invoke the POST /api/v1/message/{ID}/link-check endpoint can manipulate the Link Check API's safeDialContext path to dial internal destinations. By analyzing status codes and error feedback, the attacker can map the reachability of internal services, including cloud metadata endpoints.

This issue was fixed in Mailpit version 1.30.2.

Impact Analysis

This vulnerability allows an attacker to probe internal network services by abusing the Link Check API to dial internal IP addresses that should be blocked.

The attacker can use status codes and error messages to map internal service reachability, potentially exposing sensitive internal infrastructure such as cloud metadata endpoints.

Such information disclosure can aid attackers in further attacks against internal systems or cloud environments.

Detection Guidance

This vulnerability involves the Mailpit Link Check API being coerced into dialing internal destinations, allowing an attacker to map internal service reachability via status-code and error feedback.

Detection could involve monitoring for unusual POST requests to the endpoint /api/v1/message/{ID}/link-check, especially those that result in network calls to internal or cloud metadata endpoints.

Specific commands are not provided in the available information.

Mitigation Strategies

The vulnerability is fixed in Mailpit version 1.30.2.

Immediate mitigation should include upgrading Mailpit to version 1.30.2 or later.

Since the issue involves the tools.IsInternalIP deny-list not blocking certain IPv6 transition mechanisms and prefixes, reviewing and restricting access to the Link Check API endpoint and monitoring for suspicious POST requests may also help reduce risk until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart