CVE-2026-23845 is a Server-Side Request Forgery (SSRF) vulnerability identified in axllent's Mailpit, an email testing tool widely used by developers to analyze and test email content. The vulnerability exists in versions prior to 1.28.3 within the HTML Check feature, specifically in the `inlineRemoteCSS()` function. This function processes HTML emails by automatically downloading external CSS files referenced via `<link rel="stylesheet" href="...">` tags to inline them for compatibility testing. Because the function fetches these external resources without proper validation or restrictions, an attacker can craft a malicious HTML email containing links to internal or otherwise sensitive network resources. When Mailpit processes such an email, it will make server-side HTTP requests to these attacker-controlled or internal URLs, potentially exposing internal services or metadata. The vulnerability has a CVSS 3.1 base score of 5.8, indicating medium severity. It requires no privileges or user interaction, and the attack surface is network-exposed. The impact primarily affects confidentiality, as attackers may gain information about internal network topology or services, but does not affect data integrity or availability. No known exploits are currently reported in the wild. The issue was addressed in Mailpit version 1.28.3 by modifying the HTML Check feature to prevent unsafe external resource fetching. This vulnerability is categorized under CWE-918 (Server-Side Request Forgery).

For European organizations, this SSRF vulnerability poses a moderate risk, particularly for those using Mailpit versions prior to 1.28.3 in their development or testing environments. Exploitation could allow attackers to leverage the Mailpit server to access internal network resources that are otherwise inaccessible externally, potentially exposing sensitive internal services, metadata, or configuration endpoints. This could lead to information disclosure that aids further attacks such as lateral movement or privilege escalation. While the vulnerability does not directly compromise data integrity or availability, the confidentiality breach could have regulatory implications under GDPR if sensitive personal or corporate data is exposed. Organizations with complex internal networks or those hosting critical internal services accessible from the Mailpit server are at higher risk. Since Mailpit is a developer tool, environments where it is exposed to untrusted inputs or emails from external sources are particularly vulnerable. The lack of authentication or user interaction requirements increases the risk of automated exploitation attempts.

The primary mitigation is to upgrade Mailpit to version 1.28.3 or later, where the vulnerability has been fixed. Organizations should ensure that all instances of Mailpit, especially those exposed to external networks or processing untrusted emails, are promptly updated. Additionally, network-level controls should be implemented to restrict outbound HTTP/HTTPS requests from the Mailpit server to only trusted and necessary destinations, preventing arbitrary external or internal resource access. Employing web application firewalls (WAFs) or network segmentation can further limit the impact by isolating the Mailpit server from sensitive internal services. Monitoring and logging HTTP requests made by Mailpit can help detect suspicious activity indicative of SSRF exploitation attempts. Finally, developers and security teams should review and sanitize inputs processed by Mailpit to minimize exposure to malicious content.