CVE-2026-21859
published 2026-01-08CVE-2026-21859: Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.76%
50.5th percentile
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axllent | mailpit | < 1.29.2 | 1.29.2 |
| axllent | mailpit | < 1.28.1 | 1.28.1 |
| axllent | mailpit | < 1.29.2 | 1.29.2 |
| github.com | axllent_mailpit | >= 0 < 1.28.1 | 1.28.1 |
| github.com | axllent_mailpit | >= 0 < 1.29.2 | 1.29.2 |
Detection & IOCsextracted from sources · hover to see the quote
othershodan:title:"Mailpit"
otherfofa:title="Mailpit"
- →Detect SSRF exploitation attempts targeting the /proxy endpoint with internal IP addresses in the 'url' query parameter (e.g., 127.0.0.1, RFC-1918 ranges). ↗
- →Match HTTP GET requests to /proxy?url= containing loopback or internal addresses; a successful exploit response will contain JSON fields '"Version"', '"Database"', and '"RuntimeStats"' in the body with Content-Type application/json.
- →Exploitation is limited to HTTP GET requests; monitor for GET /proxy?url=http://<internal-IP>:<port>/ patterns in web server access logs. ↗
- →Affected versions are Mailpit <= 1.28.0; presence of Mailpit instances can be identified via Shodan (title:"Mailpit") or FOFA (title="Mailpit") for exposure assessment.
- ·The SSRF is constrained to HTTP GET requests only; POST or other methods are not exploitable via this vector. ↗
- ·The /proxy endpoint does validate http:// and https:// schemes, so non-HTTP schemes (e.g., file://, gopher://) are blocked; only internal IP address filtering is missing. ↗
- ·The vulnerability is fixed in version 1.28.1; the Nuclei template references 1.28.3 in its name but NVD and the advisory confirm the fix is in 1.28.1. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vulncheck5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
ghsa·2026-02-26·CVSS 5.3
CVE-2026-27808 [MEDIUM] CWE-918 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
### Summary
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the
screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either
OSV
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
osv·2026-02-26·CVSS 5.3
CVE-2026-27808 [MEDIUM] Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
### Summary
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the
screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either
OSV
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability in github.com/axllent/mailpit
osv·2026-01-12
CVE-2026-21859 Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability in github.com/axllent/mailpit
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability in github.com/axllent/mailpit
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability in github.com/axllent/mailpit
GHSA
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
ghsa·2026-01-06
CVE-2026-21859 [MEDIUM] CWE-918 Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to internal network resources.
## Description
The `/proxy` endpoint allows requests to internal network resources. While it validates `http://` and `https://` schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
## Proof of Concept
### Basic SSRF Request
```
GET /proxy?url=http://127.0.0.1:8025/api/v1/info
```
This returns internal API data including database path and runtime statistics.
## Impact Assessment
### 1. Internal Network Scanning
Attacker can probe and discover internal services on the network.
### 2. In
OSV
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
osv·2026-01-06
CVE-2026-21859 [MEDIUM] Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to internal network resources.
## Description
The `/proxy` endpoint allows requests to internal network resources. While it validates `http://` and `https://` schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
## Proof of Concept
### Basic SSRF Request
```
GET /proxy?url=http://127.0.0.1:8025/api/v1/info
```
This returns internal API data including database path and runtime statistics.
## Impact Assessment
### 1. Internal Network Scanning
Attacker can probe and discover internal services on the network.
### 2. In
VulnCheck
axllent mailpit Server-Side Request Forgery (SSRF)
vulncheck·2026·CVSS 5.8
CVE-2026-21859 [MEDIUM] axllent mailpit Server-Side Request Forgery (SSRF)
axllent mailpit Server-Side Request Forgery (SSRF)
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Affected: axllent mailpit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/C
No detection rules found.
Nuclei
Mailpit < 1.28.3 - Server-Side Request Forgery
nuclei·CVSS 5.3
CVE-2026-21859 [MEDIUM] Mailpit < 1.28.3 - Server-Side Request Forgery
Mailpit < 1.28.3 - Server-Side Request Forgery
Mailpit <= 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests.
Template:
id: CVE-2026-21859
info:
name: Mailpit < 1.28.3 - Server-Side Request Forgery
author: omarkurt
severity: high
description: |
Mailpit <= 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests.
impact: |
Attackers can access internal network services and APIs, potentially exposing sensitive internal resources.
re
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2026-21859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-21859 [MEDIUM] CVE-2026-21859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21859 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-27808 [MEDIUM] CVE-2026-27808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27808 :
Homebrew vulnerability analysis and mitigation
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr)
2026-01-08
Published
Exploited in the wild