CVE-2026-21859 - Vulnerability Details

- Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)

Description

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.

Published: 2026-01-07

Score: 5.8 Medium

EPSS: 1.0% Low

KEV: No

Impact:

Action:

Analysis

Impact

Mailpit, an email testing and API tool, contains a flaw in its /proxy endpoint that allows a server‑side request forgery attack; an attacker can submit an HTTP or HTTPS URL and the endpoint forwards the request without validating the target. This enables indirect access to internal network services, restricted APIs, or data that would otherwise be unreachable from the public Internet. The vulnerability is identified as CWE‑918 and is limited to HTTP GET requests with minimal headers.

Affected Systems

All axllent Mailpit releases up to and including 1.28.0 are vulnerable; the issue was fixed in 1.28.1, and any deployment of that version or newer is no longer affected.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity while the EPSS score of 1% suggests a low but non‑zero exploitation probability. The CVE description does not specify whether authentication is required to use the /proxy endpoint, so it is unclear whether an unauthenticated attacker can trigger the SSRF without credentials. The SSRF flaw nevertheless allows an attacker who can reach the Mailpit server to perform internal reconnaissance, lateral movement, or to access internal services or APIs that would otherwise be inaccessible from the public Internet. The vulnerability is not listed in the CISA KEV catalog, reducing automated alerting but not eliminating the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

axllent

mailpit

affected

Version	Status	Constraints
`< 1.28.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mailpit to version 1.28.1 or later, which removes the SSRF weakness.
If the proxy feature is not required, remove or disable the /proxy endpoint from the service configuration.
Implement network or application‑level controls to restrict outbound connections from Mailpit to approved external hosts, ensuring internal addresses remain unreachable.

Generated by OpenCVE AI on April 18, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8v65-47jx-7mfr	Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01018.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d
https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr

History

Mon, 02 Feb 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axllent Axllent mailpit
CPEs		cpe:2.3:a:axllent:mailpit::::::::
Vendors & Products		Axllent Axllent mailpit

Thu, 08 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Title		Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)
Weaknesses		CWE-918
References		https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}`

Subscriptions

Axllent Mailpit

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-07T23:24:07.869Z

Updated: 2026-01-08T19:23:22.033Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21859

Vulnrichment

Updated: 2026-01-08T19:23:13.440Z

NVD

Status : Analyzed

Published: 2026-01-08T00:16:00.150

Modified: 2026-02-02T19:16:52.987

Link: CVE-2026-21859

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object