CVE-2026-27808: CWE-918: Server-Side Request Forgery (SSRF) in axllent mailpit
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
AI Analysis
Technical Summary
CVE-2026-27808 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Link Check API (/api/v1/message/{ID}/link-check) of axllent's Mailpit, an email testing tool and API widely used by developers. In versions prior to 1.29.2, the API accepts email messages and performs HTTP HEAD requests to every URL found within the email content. Critically, the server does not validate or filter the target hosts of these requests, allowing attackers to specify arbitrary URLs, including those pointing to internal or private IP addresses within the organization's network. This lack of validation enables attackers to coerce the Mailpit server into making HTTP requests on their behalf, potentially accessing internal services that are otherwise inaccessible externally. The vulnerability is non-blind because the API returns HTTP status codes and status text for each link, providing attackers with immediate feedback on the success or failure of their SSRF attempts. Furthermore, the default configuration of Mailpit does not enforce authentication on SMTP or API endpoints, allowing remote attackers to exploit this vulnerability without any credentials or user interaction. This SSRF vulnerability is part of a pattern of similar issues previously fixed in other Mailpit components (HTML Check API and screenshot proxy), but the Link Check API was not included in those fixes. The flaw was publicly disclosed on February 25, 2026, with a CVSS 3.1 score of 5.8, indicating medium severity. The vulnerability primarily impacts confidentiality by potentially exposing internal network resources but does not affect integrity or availability. The issue is resolved in Mailpit version 1.29.2, which includes proper validation and filtering of target hosts in the Link Check API.
Potential Impact
The primary impact of CVE-2026-27808 is the potential exposure of internal network resources and services to unauthorized external actors. By exploiting the SSRF vulnerability, attackers can make the Mailpit server send HTTP requests to internal IP addresses or services that are not directly accessible from the internet, potentially bypassing network segmentation and firewall protections. This can lead to information disclosure about internal infrastructure, such as metadata services, internal APIs, or management interfaces. Although the vulnerability does not directly allow modification of data or denial of service, the information gained can facilitate further attacks, including lateral movement, privilege escalation, or targeted exploitation of internal systems. Organizations using Mailpit in default configurations without authentication are at higher risk, as exploitation requires no credentials or user interaction. Development and testing environments that use Mailpit may inadvertently expose sensitive internal resources if this vulnerability is present. The medium CVSS score reflects the moderate risk, balancing ease of exploitation with limited direct impact on integrity and availability. However, the scope of affected systems can be significant in organizations relying on Mailpit for email testing, especially if deployed in environments connected to sensitive internal networks.
Mitigation Recommendations
To mitigate CVE-2026-27808, organizations should immediately upgrade Mailpit to version 1.29.2 or later, which includes fixes that validate and filter target hosts in the Link Check API to prevent SSRF attacks. Until the upgrade can be applied, administrators should implement network-level controls to restrict outbound HTTP requests from the Mailpit server, limiting them to trusted external destinations and blocking requests to private or internal IP ranges. Additionally, enabling authentication on SMTP and API endpoints is critical to prevent unauthorized access and exploitation. Organizations should audit their Mailpit configurations to ensure that no unauthenticated access is permitted. Implementing web application firewalls (WAFs) with SSRF detection rules can provide an additional layer of defense. Monitoring logs for unusual outbound HTTP HEAD requests originating from Mailpit can help detect exploitation attempts. Finally, organizations should review internal network segmentation and access controls to minimize the impact of any SSRF exploitation by limiting the accessibility of sensitive internal services.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Netherlands, Japan, South Korea, India
CVE-2026-27808: CWE-918: Server-Side Request Forgery (SSRF) in axllent mailpit
Description
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27808 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Link Check API (/api/v1/message/{ID}/link-check) of axllent's Mailpit, an email testing tool and API widely used by developers. In versions prior to 1.29.2, the API accepts email messages and performs HTTP HEAD requests to every URL found within the email content. Critically, the server does not validate or filter the target hosts of these requests, allowing attackers to specify arbitrary URLs, including those pointing to internal or private IP addresses within the organization's network. This lack of validation enables attackers to coerce the Mailpit server into making HTTP requests on their behalf, potentially accessing internal services that are otherwise inaccessible externally. The vulnerability is non-blind because the API returns HTTP status codes and status text for each link, providing attackers with immediate feedback on the success or failure of their SSRF attempts. Furthermore, the default configuration of Mailpit does not enforce authentication on SMTP or API endpoints, allowing remote attackers to exploit this vulnerability without any credentials or user interaction. This SSRF vulnerability is part of a pattern of similar issues previously fixed in other Mailpit components (HTML Check API and screenshot proxy), but the Link Check API was not included in those fixes. The flaw was publicly disclosed on February 25, 2026, with a CVSS 3.1 score of 5.8, indicating medium severity. The vulnerability primarily impacts confidentiality by potentially exposing internal network resources but does not affect integrity or availability. The issue is resolved in Mailpit version 1.29.2, which includes proper validation and filtering of target hosts in the Link Check API.
Potential Impact
The primary impact of CVE-2026-27808 is the potential exposure of internal network resources and services to unauthorized external actors. By exploiting the SSRF vulnerability, attackers can make the Mailpit server send HTTP requests to internal IP addresses or services that are not directly accessible from the internet, potentially bypassing network segmentation and firewall protections. This can lead to information disclosure about internal infrastructure, such as metadata services, internal APIs, or management interfaces. Although the vulnerability does not directly allow modification of data or denial of service, the information gained can facilitate further attacks, including lateral movement, privilege escalation, or targeted exploitation of internal systems. Organizations using Mailpit in default configurations without authentication are at higher risk, as exploitation requires no credentials or user interaction. Development and testing environments that use Mailpit may inadvertently expose sensitive internal resources if this vulnerability is present. The medium CVSS score reflects the moderate risk, balancing ease of exploitation with limited direct impact on integrity and availability. However, the scope of affected systems can be significant in organizations relying on Mailpit for email testing, especially if deployed in environments connected to sensitive internal networks.
Mitigation Recommendations
To mitigate CVE-2026-27808, organizations should immediately upgrade Mailpit to version 1.29.2 or later, which includes fixes that validate and filter target hosts in the Link Check API to prevent SSRF attacks. Until the upgrade can be applied, administrators should implement network-level controls to restrict outbound HTTP requests from the Mailpit server, limiting them to trusted external destinations and blocking requests to private or internal IP ranges. Additionally, enabling authentication on SMTP and API endpoints is critical to prevent unauthorized access and exploitation. Organizations should audit their Mailpit configurations to ensure that no unauthenticated access is permitted. Implementing web application firewalls (WAFs) with SSRF detection rules can provide an additional layer of defense. Monitoring logs for unusual outbound HTTP HEAD requests originating from Mailpit can help detect exploitation attempts. Finally, organizations should review internal network segmentation and access controls to minimize the impact of any SSRF exploitation by limiting the accessibility of sensitive internal services.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T02:31:33.267Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f8fb4b7ef31ef0b6dc8d3
Added to database: 2/26/2026, 12:11:32 AM
Last enriched: 3/5/2026, 11:16:56 AM
Last updated: 4/12/2026, 6:49:13 AM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.