CVE-2026-23845 Overview
CVE-2026-23845 is a Server-Side Request Forgery (SSRF) vulnerability affecting Mailpit, an email testing tool and API for developers. The vulnerability exists in versions prior to 1.28.3 and allows attackers to exploit the HTML Check feature to make unauthorized requests to internal or external resources.
The flaw resides in the inlineRemoteCSS() function, which automatically downloads CSS files from external <link rel="stylesheet" href="..."> tags during HTML email compatibility analysis. By crafting malicious HTML emails with specially crafted stylesheet links, an attacker can force the Mailpit server to make requests to arbitrary URLs, potentially accessing internal network resources or cloud metadata services.
Critical Impact
Attackers can leverage this SSRF vulnerability to probe internal network infrastructure, access cloud instance metadata services, or exfiltrate sensitive configuration data from systems behind the firewall where Mailpit is deployed.
Affected Products
- Mailpit versions prior to 1.28.3
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23845 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23845
Vulnerability Analysis
This Server-Side Request Forgery vulnerability is classified under CWE-918 (Server-Side Request Forgery). The vulnerability exists in the HTML Check API endpoint (/api/v1/message/{ID}/html-check), which is designed to analyze HTML emails for compatibility across email clients.
The core issue stems from insufficient validation of URLs in the inlineRemoteCSS() function. When processing HTML emails containing external stylesheet references, the function downloads CSS content from specified URLs without proper restrictions on the destination. This allows an attacker to craft malicious HTML content that triggers requests to arbitrary destinations, including internal network resources, localhost services, or cloud metadata endpoints.
The attack can be executed remotely without authentication and does not require user interaction. The vulnerability has a changed scope, meaning the vulnerable component (Mailpit) can impact resources beyond its security scope, such as internal network services.
Root Cause
The root cause is inadequate URL validation and lack of network-level restrictions in the inlineRemoteCSS() function. When processing external CSS links in HTML emails, the application fails to:
- Validate that target URLs resolve to external, non-private IP addresses
- Block requests to localhost, internal network ranges, or cloud metadata services
- Implement proper network context isolation for outbound requests
Attack Vector
An attacker exploits this vulnerability by:
- Crafting an HTML email containing a malicious <link rel="stylesheet" href="..."> tag pointing to an internal resource or sensitive endpoint
- Sending or uploading this email to a Mailpit instance
- Triggering the HTML Check feature via the /api/v1/message/{ID}/html-check API endpoint
- The server-side inlineRemoteCSS() function attempts to fetch the CSS from the attacker-specified URL
- The attacker receives information about internal services or retrieves sensitive data through the response
Example attack payloads might include references to cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/) or internal services (e.g., http://localhost:8080/admin).
The security patch addresses this by adding network-level restrictions, as shown in the commit:
package htmlcheck
import (
+ "context"
+ "errors"
"fmt"
"io"
+ "net"
"net/http"
"net/url"
"strings"
Source: GitHub Commit Details
The patch introduces context, errors, and net packages to implement proper network validation, likely adding checks to prevent requests to private IP ranges and localhost addresses.
Detection Methods for CVE-2026-23845
Indicators of Compromise
- Unusual outbound HTTP requests from the Mailpit server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the Mailpit process
- Anomalous access patterns to the /api/v1/message/{ID}/html-check endpoint with crafted email IDs
- Network connections from Mailpit to localhost services on unexpected ports
Detection Strategies
- Monitor API access logs for the /api/v1/message/{ID}/html-check endpoint and correlate with subsequent outbound network connections
- Implement network monitoring to detect requests from the Mailpit server to RFC1918 private address spaces or link-local addresses
- Configure application firewall rules to alert on suspicious URL patterns in HTML email content submitted to Mailpit
- Review Mailpit logs for CSS download failures or unexpected connection attempts
Monitoring Recommendations
- Deploy network-level monitoring on the Mailpit server to track all outbound HTTP requests
- Set up alerts for any Mailpit process attempting to connect to internal services or cloud metadata endpoints
- Implement rate limiting and anomaly detection on the HTML Check API endpoint
- Enable verbose logging for the HTML Check feature to capture all CSS download attempts
How to Mitigate CVE-2026-23845
Immediate Actions Required
- Upgrade Mailpit to version 1.28.3 or later immediately
- Review network logs for any exploitation attempts targeting the HTML Check API
- Implement network segmentation to restrict Mailpit's access to internal resources
- Consider temporarily disabling the HTML Check feature if immediate upgrade is not possible
Patch Information
The vulnerability has been fixed in Mailpit version 1.28.3. The security patch adds network-level restrictions to prevent SSRF attacks by validating destination URLs and blocking requests to private IP ranges. For detailed information about the fix, refer to:
Workarounds
- Restrict network egress from the Mailpit server using firewall rules to block access to internal networks and cloud metadata services
- Deploy Mailpit in an isolated network segment without access to sensitive internal resources
- Use a web application firewall (WAF) to filter malicious HTML content before it reaches Mailpit
- Disable the HTML Check feature entirely if not required for your use case
# Configuration example - Firewall rules to block SSRF attempts
# Block outbound connections to internal networks from Mailpit server
iptables -A OUTPUT -m owner --uid-owner mailpit -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner mailpit -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner mailpit -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner mailpit -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner mailpit -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
