CVE-2026-27808 is a Server-Side Request Forgery (SSRF) vulnerability in the Link Check API of axllent's Mailpit, an email testing tool and API used by developers. The vulnerable endpoint (/api/v1/message/{ID}/link-check) processes HTTP HEAD requests to every URL extracted from an email message without validating the destination hosts or filtering out private, internal, or loopback IP addresses. This lack of validation allows an attacker to craft emails containing malicious URLs that cause the Mailpit server to initiate HTTP requests to arbitrary internal or external systems. Because the server returns HTTP status codes and status text for each link, the attacker gains immediate feedback, making this a non-blind SSRF. The default Mailpit configuration does not require authentication for SMTP or API access, enabling remote, unauthenticated exploitation without user interaction. This vulnerability is related to previous SSRF issues fixed in other Mailpit API endpoints but was overlooked in the Link Check API. The flaw could be leveraged to access internal network resources, potentially bypassing firewall restrictions and exposing sensitive internal services. The vulnerability was assigned CVE-2026-27808 and fixed in Mailpit version 1.29.2. The CVSS 3.1 score of 5.8 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and a confidentiality impact limited to information disclosure without integrity or availability effects.

The primary impact of this SSRF vulnerability is unauthorized information disclosure and potential internal network reconnaissance. An attacker can exploit the vulnerability to make the Mailpit server send HTTP requests to internal or protected network resources that are otherwise inaccessible externally. This can lead to the exposure of sensitive internal services, metadata endpoints, or administrative interfaces. While the vulnerability does not directly allow code execution or data modification, it can be a stepping stone for further attacks such as pivoting into internal networks, accessing cloud metadata services, or exploiting other internal vulnerabilities. Organizations using Mailpit in development, testing, or staging environments without proper network segmentation or authentication controls are at higher risk. Since the default configuration lacks authentication, many deployments may be exposed to remote exploitation. The vulnerability could disrupt trust in email testing processes and expose internal infrastructure details, potentially aiding attackers in crafting more targeted attacks. However, no known exploits in the wild have been reported to date.

To mitigate CVE-2026-27808, organizations should immediately upgrade Mailpit to version 1.29.2 or later, where the vulnerability is fixed. Additionally, implement strict network segmentation to isolate Mailpit servers from sensitive internal networks, minimizing the impact of SSRF attempts. Configure authentication for SMTP and API access to prevent unauthorized remote exploitation. Employ input validation and URL filtering to restrict requests to trusted domains and disallow private or internal IP ranges. Use web application firewalls (WAFs) with SSRF detection rules to monitor and block suspicious outbound requests. Monitor logs for unusual outbound HTTP HEAD requests initiated by Mailpit. If upgrading is temporarily not possible, disable or restrict access to the Link Check API endpoint. Regularly audit and review Mailpit configurations and network access controls to ensure minimal exposure. Educate development and security teams about SSRF risks and secure coding practices to prevent similar issues in custom tools.