Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Mailpit Server-Side Request Forgery

🗓️ 02 Feb 2026 00:00:00Reported by Omar KurtType 
packetstorm
 packetstorm🔗 packetstorm.news👁 156 Views

Mailpit SSRF in /api/v1/proxy allows unauthenticated access to internal resources; upgrade to 1.28.1.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-27808
25 Feb 202623:51
attackerkb
Circl		CVE-2026-21859
6 Jan 202602:23
circl
CNNVD		Mailpit 代码问题漏洞
8 Jan 202600:00
cnnvd
CVE		CVE-2026-21859
7 Jan 202623:24
cve
Cvelist		CVE-2026-21859 Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)
7 Jan 202623:24
cvelist
FreeBSD		mail/mailpit -- Server-Side Request Forgery
6 Jan 202600:00
freebsd
EUVD		EUVD-2026-1038
6 Jan 202617:44
euvd
Tenable Nessus		FreeBSD : mail/mailpit -- Server-Side Request Forgery (df33c83b-eb4f-11f0-a46f-0897988a1c07)
7 Jan 202600:00
nessus
Github Security Blog		Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
6 Jan 202617:44
github
Nuclei		Mailpit < 1.28.3 - Server-Side Request Forgery
27 Jun 202603:01
nuclei
Rows per page
Mailpit - Server-Side Request Forgery (SSRF)
    Advisory ID: RO-26-001
    CVE ID: CVE-2026-21859
    Severity: Medium
    Vendor: axllent
    Product: Mailpit
    Version: < 1.28.0
    
    
    Overview #
    
    A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
    
    
    Vulnerability Details #
    
    Affected Versions: < 1.28.0
    
    Location: /api/v1/proxy endpoint
    
    Affected Parameter: url
    
    Root Cause: The vulnerability exists due to insufficient validation of user-supplied URLs. Attackers can supply internal URLs that the server will fetch on their behalf.
    
    
    Exploitation Requirements #
    
        No authentication required
        Direct access to the Mailpit web interface
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Access internal services (databases, APIs)
        Scan internal network resources
        Access cloud metadata endpoints (AWS, GCP, Azure)
        Potentially pivot to internal systems
    
    Proof of Concept #
    
    GET /api/v1/proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
    Host: mailpit.target.com
    
    
    
    Solution #
    
    Upgrade to Mailpit version 1.28.1 or later, which includes proper URL validation for the proxy endpoint.
    
    
    References #
    
        GitHub Advisory
        Mailpit Release Notes
    
    Timeline:
    
        [2026-01-06] - Discovered
        [2026-01-07] - Reported
        [2026-01-08] - Fixed
    
    Credits: Omar Kurt

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 3.15.3 - 5.8
EPSS0.00755
SSVC
server side request forgerymailpit proxy endpointinternal resources accessno authenticationcve 2026 21859upgrade recommended
156