DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27808: Return to Sender: Turning Mailpit into an Internal Port Scanner

#security #cve #cybersecurity

Return to Sender: Turning Mailpit into an Internal Port Scanner

Vulnerability ID: CVE-2026-27808
CVSS Score: 5.8
Published: 2026-02-26

A critical Server-Side Request Forgery (SSRF) vulnerability in Mailpit's Link Check API allows unauthenticated remote attackers to map internal networks and enumerate cloud metadata. By injecting malicious URLs into emails and triggering the application's automated link verification, attackers can force the server to issue HTTP requests to arbitrary destinations, bypassing network segmentation.

TL;DR

Mailpit versions prior to 1.29.2 contain a logic flaw in the 'Link Check' feature. The application fails to validate if a URL points to a local or private IP address before initiating a connection. This allows an attacker to use the Mailpit server as a proxy to scan the internal network (localhost, 10.x.x.x) or access cloud instance metadata (AWS/GCP), simply by sending an email containing a crafted link.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918 (Server-Side Request Forgery)
  • Attack Vector: Network (API Triggered)
  • CVSS v3.1: 5.8 (Medium)
  • EPSS Score: 0.047%
  • Impact: Internal Reconnaissance / Metadata Exposure
  • Exploit Status: PoC Available

Affected Systems

  • Mailpit < 1.29.2
  • Development Environments
  • CI/CD Pipelines using Mailpit
  • Mailpit: < 1.29.2 (Fixed in: 1.29.2)

Code Analysis

Commit: 10ad4df

Fix SSRF in link check by implementing safe dialer and blocking internal IP ranges

+ func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+   // Resolve IP and check against blocklist
+   if IsInternalIP(ip) { return nil, error }
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Advisory containing reproduction steps and root cause analysis.

Mitigation Strategies

  • Network Segmentation: Ensure development tools are not exposed to the public internet.
  • Input Validation: Implement strict allowlisting for any feature that performs outbound network requests.
  • Safe Dialing: Use language-specific patterns (like Go's custom Dialer or Python's PyCurl) to resolve and validate IPs before connection.
  • Zero Trust: Treat internal networks as hostile; require authentication for internal services like Redis and Elasticsearch.

Remediation Steps:

  1. Upgrade Mailpit to version 1.29.2 or later immediately.
  2. If upgrading is not possible, restrict access to the Mailpit API port (8025) using a firewall or reverse proxy with authentication (Basic Auth is supported by Mailpit).
  3. Audit your cloud environment to ensure instance metadata requires a token (IMDSv2 on AWS) to mitigate SSRF impact.

References

Read the full report for CVE-2026-27808 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)