Description
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
Published: 2026-02-25
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (non‑blind SSRF)
Action: Patch
AI Analysis

Impact

Mailpit’s Link Check API performs HTTP HEAD requests to all URLs found in an email without validating target hosts or filtering internal/private IP addresses. The API returns the status code and reason phrase for each link, making the vulnerability non‑blind. An unauthenticated remote attacker can therefore probe internal or privileged services, obtain status information, and potentially use the endpoint for further reconnaissance or denial‑of‑service attempts.

Affected Systems

The flaw affects axllent Mailpit deployments running any version prior to 1.29.2. In installations that have no SMTP or API authentication enabled, the /api/v1/message/{ID}/link‑check endpoint is fully exposed and can be accessed from any network source.

Risk and Exploitability

The vulnerability has a CVSS score of 5.8, indicating moderate severity, and an EPSS score of less than 1 %, reflecting a low probability of exploitation. The feature is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is remote, requires no special conditions, and the endpoint returns useful information, so the practical risk is higher than the low EPSS would otherwise suggest.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy version 1.29.2 or later of Mailpit to eliminate the SSRF flaw.
  • If upgrading is delayed, disable the /api/v1/message/{ID}/link‑check endpoint or restrict its exposure so only trusted clients can invoke it.
  • Enable or enforce API authentication so that only authenticated users can access the link‑check functionality.
  • Implement network segmentation or firewall rules that block outbound HTTP HEAD requests from the Mailpit server to private or internal IP ranges.
  • Continuously monitor application logs for unexpected HEAD requests or SSRF‑style activity and alert on suspicious patterns.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mpf7-p9x7-96r3 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Axllent
Axllent mailpit
Vendors & Products Axllent
Axllent mailpit

Thu, 26 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
Title Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Axllent Mailpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:47:56.826Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27808

cve-icon Vulnrichment

Updated: 2026-02-26T15:47:42.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:26.013

Modified: 2026-02-28T01:00:17.987

Link: CVE-2026-27808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses