Mailpit, an email testing tool and API used by developers, has a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-21859 (CWE-918) affecting versions 1.28.0 and earlier. The vulnerability resides in the /proxy endpoint, which accepts HTTP GET requests and allows users to specify URLs with http:// and https:// schemes. However, the endpoint fails to block requests targeting internal IP addresses, enabling attackers to make unauthorized requests to internal network services and APIs that are otherwise inaccessible externally. The vulnerability is limited to HTTP GET requests with minimal headers, and no authentication or user interaction is required to exploit it. The flaw could allow attackers to gather sensitive information from internal systems or perform reconnaissance for further attacks. The issue was addressed in Mailpit version 1.28.1 by implementing proper validation to prevent internal IP address access. The CVSS v3.1 base score is 5.8, indicating a medium severity level, with an attack vector of network, low attack complexity, no privileges required, no user interaction, and a scope change. The impact affects confidentiality slightly but does not affect integrity or availability. There are no known exploits in the wild as of the publication date.

For European organizations, this SSRF vulnerability poses a moderate risk primarily to confidentiality. Attackers exploiting this flaw could access internal services and APIs that are not exposed externally, potentially extracting sensitive information or mapping internal network infrastructure. This could facilitate subsequent targeted attacks or data breaches. Since Mailpit is a developer tool, organizations with active development or testing environments using vulnerable versions may be at risk. The vulnerability does not directly impact data integrity or system availability, but unauthorized internal access could lead to indirect consequences. The risk is heightened in environments where internal services contain sensitive data or where network segmentation is weak. Given the medium severity and lack of known exploits, the immediate threat level is moderate but warrants prompt remediation to prevent escalation.

European organizations should immediately upgrade Mailpit to version 1.28.1 or later to apply the official fix that blocks internal IP addresses in the /proxy endpoint. Until the update is applied, organizations should restrict access to the /proxy endpoint by implementing network-level controls such as firewall rules or access control lists limiting usage to trusted IP addresses or internal users only. Additionally, monitoring and logging requests to the /proxy endpoint can help detect suspicious activity indicative of SSRF exploitation attempts. Developers should review usage of Mailpit in their environments to ensure it is not exposed to untrusted networks or users. Employing network segmentation to isolate development and testing environments from sensitive production systems can reduce potential impact. Finally, conducting internal vulnerability scans and penetration tests focusing on SSRF vectors can help identify and remediate similar weaknesses.