CVE-2026-21859
5.8
Mailpit's Open Door: A Tale of SSRF in Dev Tools
Amit Schendel
Senior Security ResearcherJan 7, 2026·6 min read·5 visits
PoC Available
Executive Summary (TL;DR)
Mailpit, a popular email testing tool, included a `/proxy` endpoint to help render email assets. Unfortunately, it verified nothing. Attackers can abuse this to make the Mailpit server send HTTP GET requests to any destination, including `localhost` and internal network ranges. The fix forces the proxy to validate that the requested URL actually exists inside a specific email message.
A Server-Side Request Forgery (SSRF) vulnerability in Mailpit's `/proxy` endpoint allows unauthenticated attackers to use the Mailpit server as an arbitrary HTTP proxy. This facilitates internal network reconnaissance, access to local APIs, and potential cloud metadata exfiltration.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NAffected Systems
Mailpit (prior to Jan 6, 2026)Dev/Test environments exposing MailpitCI/CD pipelines using Mailpit for integration testing
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Mailpit axllent | < 2026-01-06 (commit 3b9b470) | Post-2026-01-06 Release |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-918 (SSRF) |
| Attack Vector | Network (AV:N) |
| CVSS v3.1 | 5.8 (Medium) |
| Exploit Status | PoC Available |
| Authentication | None Required (Default) |
| Impact | Confidentiality (High potential via cloud metadata) |
MITRE ATT&CK Mapping
CWE-918
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, often bypassing firewalls.
Known Exploits & Detection
Vulnerability Timeline
Patch Committed (3b9b470)
2026-01-06
Advisory Published
2026-01-06