CVE-2026-27808 – Mailpit versions before 1.29.2 contain a Server... (How to Fix)

Q: What is the severity of CVE-2026-27808?

CVE-2026-27808 has a CVSS score of 5.8 (MEDIUM). Mailpit versions before 1.29.2 contain a Server-Side Request Forgery (SSRF) vulnerability in the Link Check API that allows attackers to make the server send HTTP HEAD requests to arbitrary URLs, including internal systems. This can be exploited remotely without authentication in default configurations to scan internal networks or interact with internal services. All Mailpit users with the vulnerable API endpoint exposed are affected.

📋 TL;DR

Mailpit versions before 1.29.2 contain a Server-Side Request Forgery (SSRF) vulnerability in the Link Check API that allows attackers to make the server send HTTP HEAD requests to arbitrary URLs, including internal systems. This can be exploited remotely without authentication in default configurations to scan internal networks or interact with internal services. All Mailpit users with the vulnerable API endpoint exposed are affected.

💻 Affected Systems

Products:

Mailpit

Versions: All versions prior to 1.29.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration has no authentication on SMTP or API, making this fully exploitable remotely. The vulnerability exists specifically in the /api/v1/message/{ID}/link-check endpoint.

📦 What is this software?

Mailpit by Axllent

View all CVEs affecting Mailpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use the vulnerable server as a proxy to attack internal systems, access metadata services (like AWS/Azure instance metadata), scan internal networks, or interact with internal APIs that accept HEAD requests.

🟠

Likely Case

Internal network reconnaissance, accessing internal web services, or interacting with cloud metadata services to potentially obtain credentials.

🟢

If Mitigated

Limited to scanning reachable internal services if proper network segmentation exists, but still reveals internal infrastructure details.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending an email with malicious links to Mailpit, then calling the vulnerable API endpoint with the message ID. The SSRF is non-blind, providing feedback about target responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.2

Vendor Advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3

Restart Required: Yes

Instructions:

1. Stop Mailpit service. 2. Update to version 1.29.2 or later using your package manager or by downloading from GitHub releases. 3. Restart Mailpit service. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable Link Check API

all

Remove or block access to the vulnerable /api/v1/message/{ID}/link-check endpoint

# Configure web server or firewall to block /api/v1/message/*/link-check
# Or modify Mailpit configuration to disable this feature if supported

Enable Authentication

all

Configure authentication for Mailpit API and SMTP to prevent unauthenticated access

# Configure Mailpit with --ui-auth or --smtp-auth flags
# Set up authentication in mailpit.yaml configuration file

🧯 If You Can't Patch

Implement strict network segmentation to isolate Mailpit from internal systems
Deploy web application firewall (WAF) rules to block SSRF patterns in API requests

🔍 How to Verify

Check if Vulnerable:

Check if Mailpit version is below 1.29.2 and the /api/v1/message/{ID}/link-check endpoint is accessible without authentication.

Check Version:

mailpit --version

Verify Fix Applied:

After updating to 1.29.2+, test that the Link Check API now validates URLs and blocks requests to internal/private IP addresses.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP HEAD requests from Mailpit server to internal IPs
Multiple API calls to /api/v1/message/*/link-check endpoint
Requests to cloud metadata services (169.254.169.254, 169.254.170.2)

Network Indicators:

Outbound HTTP HEAD requests from Mailpit to unexpected destinations
Traffic to internal IP ranges from Mailpit server

SIEM Query:

source="mailpit" AND (url_path="/api/v1/message/*/link-check" OR dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16))

📊 Metadata

CVE ID: CVE-2026-27808

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-918

Published: February 26, 2026

Last Updated: February 28, 2026

🔗 References

https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5 Patch
https://github.com/axllent/mailpit/releases/tag/v1.29.2 Release Notes
https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3 Exploit,Vendor Advisory
https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27808, you might also want to check these: