Mailpit is a developer-focused email testing tool that includes a /proxy endpoint intended to forward HTTP GET requests. Versions up to 1.28.0 contain a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-21859, CWE-918) in this endpoint. Although the endpoint validates that requests use the http:// or https:// schemes, it fails to block requests targeting internal IP addresses or private network ranges. This allows an unauthenticated attacker to craft requests that the server forwards to internal network services, potentially exposing sensitive internal APIs or resources not intended for external access. The vulnerability is limited to HTTP GET requests with minimal headers, which somewhat restricts the attack surface but still enables reconnaissance and data access within the internal network. The flaw does not affect confidentiality or integrity of Mailpit itself but can lead to information disclosure from internal systems. The issue was addressed in Mailpit version 1.28.1 by implementing proper internal IP address filtering or blocking in the /proxy endpoint. No known exploits are reported in the wild as of now, but the vulnerability is publicly disclosed and should be considered a moderate risk due to ease of exploitation without authentication or user interaction.

For European organizations, this SSRF vulnerability poses a moderate risk primarily related to unauthorized internal network reconnaissance and potential exposure of sensitive internal services. Attackers exploiting this flaw could access internal APIs, configuration endpoints, or management interfaces that are otherwise protected by network segmentation. This could lead to further lateral movement or information gathering for more advanced attacks. Organizations using Mailpit versions prior to 1.28.1 in development, testing, or staging environments connected to sensitive internal networks are particularly at risk. While the vulnerability does not directly compromise Mailpit’s integrity or availability, the indirect impact on internal network confidentiality could be significant, especially if critical infrastructure or sensitive data repositories are accessible internally. The risk is heightened in environments where Mailpit is exposed to untrusted networks or where network segmentation is weak.

European organizations should immediately upgrade Mailpit to version 1.28.1 or later to apply the official fix that blocks internal IP addresses in the /proxy endpoint. Until the upgrade is possible, organizations should restrict access to the /proxy endpoint via network controls such as firewalls or API gateways, limiting it to trusted IP ranges or internal users only. Implement strict network segmentation to isolate development and testing tools like Mailpit from sensitive internal services. Monitor logs for unusual or unexpected requests to the /proxy endpoint that may indicate exploitation attempts. Additionally, conduct internal network scans to identify any exposed services that could be targeted via SSRF and apply appropriate access controls. Educate developers and DevOps teams about the risks of SSRF and secure coding practices for proxy or forwarding endpoints.