CVE-2026-21859 – Mailpit versions 1.28.0 and below have a Server... (How to Fix)

Q: What is the severity of CVE-2026-21859?

CVE-2026-21859 has a CVSS score of 5.8 (MEDIUM). Mailpit versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint that allows attackers to make HTTP GET requests to internal network resources. Attackers can access internal services and APIs that should not be exposed. This affects all users running vulnerable versions of Mailpit.

📋 TL;DR

Mailpit versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint that allows attackers to make HTTP GET requests to internal network resources. Attackers can access internal services and APIs that should not be exposed. This affects all users running vulnerable versions of Mailpit.

💻 Affected Systems

Products:

Mailpit

Versions: 1.28.0 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the /proxy endpoint.

📦 What is this software?

Mailpit by Axllent

View all CVEs affecting Mailpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal APIs, retrieve credentials from metadata services, or pivot to attack other internal systems.

🟠

Likely Case

Information disclosure from internal services, reconnaissance of internal network structure, or accessing internal APIs with limited functionality.

🟢

If Mitigated

Limited impact if network segmentation prevents access to sensitive internal resources or if the proxy endpoint is not exposed.

🌐 Internet-Facing: HIGH if Mailpit is internet-facing, as attackers can directly exploit the SSRF to probe internal networks.

🏢 Internal Only: MEDIUM if Mailpit is internal-only, as attackers would need internal access first but could then pivot to other internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests to the /proxy endpoint with internal IP addresses. Limited to GET requests with minimal headers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.28.1

Vendor Advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr

Restart Required: Yes

Instructions:

1. Stop Mailpit service. 2. Update to version 1.28.1 using your package manager or by downloading from GitHub. 3. Restart Mailpit service.

🔧 Temporary Workarounds

Disable /proxy endpoint

all

Remove or disable the /proxy endpoint if not needed.

Modify Mailpit configuration to disable proxy functionality

Network segmentation

all

Restrict Mailpit's network access to prevent reaching internal resources.

Configure firewall rules to block Mailpit from accessing internal IP ranges

🧯 If You Can't Patch

Implement strict network segmentation to isolate Mailpit from sensitive internal systems
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Mailpit version is 1.28.0 or below and if the /proxy endpoint is accessible.

Check Version:

mailpit --version

Verify Fix Applied:

Verify Mailpit version is 1.28.1 or higher and test that the /proxy endpoint blocks requests to internal IP addresses.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /proxy endpoint with internal IP addresses
HTTP GET requests to internal resources from Mailpit

Network Indicators:

Outbound connections from Mailpit to internal IP ranges on ports 80/443

SIEM Query:

source="mailpit" AND (url_path="/proxy" AND (dst_ip=10.0.0.0/8 OR dst_ip=172.16.0.0/12 OR dst_ip=192.168.0.0/16))

📊 Metadata

CVE ID: CVE-2026-21859

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-918

EPSS Score: 0.55% exploit probability (67.4th percentile)

Published: January 8, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d Patch
https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr Exploit,Vendor Advisory
https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21859, you might also want to check these: