CVE-2026-27808: Mailpit Link Check API SSRF Vulnerability

CVE-2026-27808 Overview

CVE-2026-27808 is a Server-Side Request Forgery (SSRF) vulnerability in Mailpit, an email testing tool and API for developers. The vulnerability exists in the Link Check API endpoint (/api/v1/message/{ID}/link-check) where the server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses.

This is classified as a non-blind SSRF because the response returns status codes and status text per link, allowing attackers to enumerate and probe internal services. In the default configuration with no authentication on SMTP or API, this vulnerability is fully exploitable remotely with zero user interaction.

Critical Impact

Attackers can leverage this SSRF to scan internal networks, access internal services, and potentially exfiltrate sensitive information from systems that should not be accessible externally.

Affected Products

• Mailpit versions prior to 1.29.2

Discovery Timeline

• February 26, 2026 - CVE-2026-27808 published to NVD
• February 26, 2026 - Last updated in NVD database

Technical Details for CVE-2026-27808

Vulnerability Analysis

This SSRF vulnerability follows the same pattern as two previously identified issues in Mailpit: CVE-2026-23845 (HTML Check API) and CVE-2026-21859 (screenshot proxy). However, the Link Check API code path was not included in either of those earlier fixes, leaving this attack surface exposed.

The vulnerability is categorized under CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches a remote resource without sufficiently validating the user-supplied URL. In this case, Mailpit's Link Check functionality blindly processes URLs extracted from emails and makes HTTP HEAD requests to each one.

Root Cause

The root cause is the absence of input validation on URLs before the server initiates HTTP requests. The Link Check API extracts URLs from email content and performs HTTP HEAD requests without:

1. Validating that target hosts are external/public
2. Filtering requests to private IP address ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
3. Blocking requests to loopback addresses (127.0.0.1, localhost)
4. Filtering link-local or multicast addresses

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker can:

1. Send a crafted email to the Mailpit instance containing URLs pointing to internal services
2. Trigger the Link Check API to process the email
3. Observe the returned status codes to determine which internal services are accessible
4. Use this information to map internal network topology and identify vulnerable services

The security patch introduces a new configuration flag --allow-internal-http-requests that controls whether the link-checker and screenshots features can access internal IP addresses. This flag defaults to false for security:

// AllowInternalHTTPRequests will allow HTTP requests to internal IP addresses (e.g., loopback, private, link-local, or multicast) when set to true.
// This policy applies to both link checking and screenshot generation (proxy) features and is disabled by default for security reasons.
AllowInternalHTTPRequests = false

Source: GitHub Commit Update

The command-line interface was updated to expose this configuration option:

rootCmd.Flags().BoolVar(&config.AllowInternalHTTPRequests, "allow-internal-http-requests", config.AllowInternalHTTPRequests, "Allow link-checker & screenshots to access internal IP addresses")

Source: GitHub Commit Update

Detection Methods for CVE-2026-27808

Indicators of Compromise

• Unusual HTTP HEAD requests originating from the Mailpit server to internal IP ranges
• Requests to the /api/v1/message/{ID}/link-check endpoint with suspicious email IDs
• Network traffic from Mailpit to sensitive internal services (metadata endpoints, admin panels)
• Emails containing URLs pointing to private IP addresses or localhost

Detection Strategies

• Monitor network egress from Mailpit instances for connections to RFC 1918 private address ranges
• Implement logging on the Link Check API endpoint to track all processed URLs
• Use network segmentation to detect anomalous traffic patterns from development tools
• Alert on requests to cloud metadata endpoints (169.254.169.254) from application servers

Monitoring Recommendations

• Deploy network monitoring to detect internal scanning activity from Mailpit hosts
• Enable verbose logging on Mailpit to capture all API requests and processed URLs
• Implement honeypot services on internal networks to detect SSRF probing attempts
• Review web application firewall logs for suspicious patterns in email content

How to Mitigate CVE-2026-27808

Immediate Actions Required

• Upgrade Mailpit to version 1.29.2 or later immediately
• If upgrade is not immediately possible, restrict network access to the Mailpit API
• Enable authentication on both SMTP and API endpoints if not already configured
• Review network segmentation to limit Mailpit's ability to reach internal services

Patch Information

The vulnerability is fixed in Mailpit version 1.29.2. The fix introduces proper validation of target URLs before making HTTP requests, blocking access to internal IP addresses by default. For detailed information, see the GitHub Security Advisory GHSA-mpf7-p9x7-96r3 and Release Notes for v1.29.2.

Workarounds

• Place Mailpit behind a reverse proxy that restricts outbound requests
• Use network-level controls (firewall rules) to prevent Mailpit from accessing internal networks
• Disable the Link Check API functionality if not required for your workflow
• Enable authentication on the Mailpit API to prevent unauthorized access

# Configuration example - Run Mailpit with internal request blocking (default in 1.29.2+)
mailpit --allow-internal-http-requests=false

# Enable basic authentication on the API
mailpit --ui-auth-file=/path/to/htpasswd