cbcvebase.
CVE-2026-45711
published 2026-05-19

CVE-2026-45711: Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs ### Summary The mailpit dump --http sub-command…

medium
Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

### Summary
The mailpit dump --http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with path.Join, which silently normalizes .. segments. A malicious HTTP server impersonating Mailpit can therefore make mailpit dump write attacker-controlled bytes to any path the running user can write, fully outside the intended output directory.

### Details
Anyone who can convince a user to run mailpit dump --http (typosquat, phishing tutorial, MITM of a plain-http:// Mailpit, or a compromised internal Mailpit they back up regularly) obtains an arbitrary file write primitive as the dumping user. Realistic post-exploitation includes overwriting init/cron files, shell startup files, CI artifact upload targets, web roots, etc. — anything the dumping user can write to, with attacker-controlled file bytes and a .eml filename suffix.

### Affected code
[internal/dump/dump.go](https://github.com/axllent/mailpit/blob/develop/internal/dump/dump.go#L118-L155):

path.Join("/safe/out/dir", "../../../../etc/cron.d/payload.eml") resolves to /etc/cron.d/payload.eml — the .. segments are normalized, not rejected. The remote server controls both m.ID (path) and the body of /api/v1/message//raw (contents). There is no filepath.Rel(outDir, out) containment check, no allow-list on m.ID characters, and no body-size cap.

The underlying cause is that the command was added to back up a trusted Mailpit, but the trust model on the wire never gets validated — the operator only supplies a URL.

### PoC

1. Run a malicious "Mailpit" server that returns one message whose ID contains .. segments:

```python
# evil-mailpit.py
import http.server, json

class Evil(http.server.BaseHTTPRequestHandler)

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comaxllent_mailpit>= 0 < 1.30.01.30.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.