GHSA-8V65-47JX-7MFR
Vulnerability from github – Published: 2026-01-06 17:44 – Updated: 2026-01-08 20:11Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
Description
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
Proof of Concept
Basic SSRF Request
GET /proxy?url=http://127.0.0.1:8025/api/v1/info
This returns internal API data including database path and runtime statistics.
Impact Assessment
1. Internal Network Scanning
Attacker can probe and discover internal services on the network.
2. Information Disclosure
Access to internal API data, database paths, and runtime statistics.
3. Email Content Access
Ability to read all captured emails via internal API endpoints.
4. Cloud Metadata Access
If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., http://169.254.169.254/).
Attack Scenarios
Scenario 1: Development Environment Exposure
If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.
Scenario 2: Container Escape Information
In containerized deployments, SSRF can reveal container metadata and internal service configurations.
Scenario 3: Lateral Movement
In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.
Mitigating Factors
This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit's web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.28.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/axllent/mailpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.28.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21859"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-06T17:44:29Z",
"nvd_published_at": "2026-01-08T00:16:00Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit\u0027s `/proxy` endpoint that allows attackers to make requests to internal network resources.\n\n\n## Description\n\nThe `/proxy` endpoint allows requests to internal network resources. While it validates `http://` and `https://` schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.\n\n## Proof of Concept\n\n### Basic SSRF Request\n```\nGET /proxy?url=http://127.0.0.1:8025/api/v1/info\n```\n\nThis returns internal API data including database path and runtime statistics.\n \n## Impact Assessment\n\n### 1. Internal Network Scanning\nAttacker can probe and discover internal services on the network.\n\n### 2. Information Disclosure\nAccess to internal API data, database paths, and runtime statistics.\n\n### 3. Email Content Access\nAbility to read all captured emails via internal API endpoints.\n\n### 4. Cloud Metadata Access\nIf deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., `http://169.254.169.254/`).\n\n## Attack Scenarios\n\n### Scenario 1: Development Environment Exposure\nIf Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.\n\n### Scenario 2: Container Escape Information\nIn containerized deployments, SSRF can reveal container metadata and internal service configurations.\n\n### Scenario 3: Lateral Movement\nIn corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.\n\n## Mitigating Factors\nThis vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit\u0027s web UI \u0026 API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint. \n\n## References\n\n- [MDN Web Security - SSRF Attacks](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF)\n- [CWE-918: Server-Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html)\n- [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)",
"id": "GHSA-8v65-47jx-7mfr",
"modified": "2026-01-08T20:11:35Z",
"published": "2026-01-06T17:44:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21859"
},
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d"
},
{
"type": "PACKAGE",
"url": "https://github.com/axllent/mailpit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.