CVE-2026-27808 in mailpit
Summary
by MITRE • 02/26/2026
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2026-27808 affects Mailpit, an email testing tool designed for developers to facilitate email validation and testing processes. This tool operates as a mail server and API that allows developers to capture, inspect, and test email messages within their development environments. The specific flaw resides in the Link Check API endpoint at /api/v1/message/{ID}/link-check which was introduced to verify the validity of hyperlinks contained within captured email messages. The vulnerability represents a critical security oversight that enables remote attackers to exploit the system's HTTP request capabilities without proper authorization or validation mechanisms.
The technical implementation of this vulnerability stems from insufficient input validation and access control measures within the Link Check API functionality. When the system processes email messages containing hyperlinks, it automatically performs HTTP HEAD requests to every URL discovered within the message content without implementing any host validation or IP address filtering mechanisms. This design flaw allows the system to make outbound requests to any arbitrary URL including internal network addresses, private IP ranges, and localhost endpoints. The vulnerability is classified as a Server-Side Request Forgery (SSRF) according to CWE-918, which occurs when a web application fails to properly validate or restrict user-supplied input that is used to make HTTP requests to backend services. The response returned by the API includes detailed status codes and status text for each link, making this a non-blind SSRF variant that provides attackers with immediate feedback on their requests.
The operational impact of this vulnerability is severe and exploitable under default configurations where authentication is disabled for both SMTP and API access. Attackers can leverage this vulnerability to perform reconnaissance activities against internal network services, potentially accessing sensitive information or systems that would normally be protected by network segmentation. The lack of user interaction requirement and the absence of authentication barriers means that any remote attacker can exploit this vulnerability immediately upon discovering the Mailpit service. This vulnerability aligns with ATT&CK technique T1190 - Exploit Public-Facing Application, which describes how attackers target applications accessible from the internet to gain unauthorized access to internal systems. The flaw enables attackers to probe internal services, potentially identifying running applications, open ports, and sensitive system information through the status codes returned by the HEAD requests.
The vulnerability is particularly concerning because it mirrors previously identified flaws in similar functionality within the same software ecosystem, specifically the HTML Check API vulnerability CVE-2026-23845 and the screenshot proxy vulnerability CVE-2026-21859. These related vulnerabilities were addressed through comprehensive input validation and host restriction mechanisms, yet the Link Check functionality was overlooked during the remediation process. This oversight demonstrates a pattern of insufficient security review across similar code paths within the application, suggesting that the development team may not have implemented consistent security controls for all HTTP request handling mechanisms. The fix implemented in version 1.29.2 addresses this by incorporating proper host validation and IP address filtering, ensuring that only external, publicly accessible URLs can be accessed through the Link Check API. This remediation aligns with security best practices outlined in OWASP Top Ten 2021 category A05: Security Misconfiguration, which emphasizes the importance of proper input validation and access controls for all application components. Organizations using Mailpit should immediately upgrade to version 1.29.2 or later to mitigate this vulnerability and prevent potential exploitation of internal network resources through the exposed API endpoint.