Share
## https://sploitus.com/exploit?id=PACKETSTORM:214745
Mailpit - Server-Side Request Forgery (SSRF)
    Advisory ID: RO-26-001
    CVE ID: CVE-2026-21859
    Severity: Medium
    Vendor: axllent
    Product: Mailpit
    Version: < 1.28.0
    
    
    Overview #
    
    A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
    
    
    Vulnerability Details #
    
    Affected Versions: < 1.28.0
    
    Location: /api/v1/proxy endpoint
    
    Affected Parameter: url
    
    Root Cause: The vulnerability exists due to insufficient validation of user-supplied URLs. Attackers can supply internal URLs that the server will fetch on their behalf.
    
    
    Exploitation Requirements #
    
        No authentication required
        Direct access to the Mailpit web interface
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Access internal services (databases, APIs)
        Scan internal network resources
        Access cloud metadata endpoints (AWS, GCP, Azure)
        Potentially pivot to internal systems
    
    Proof of Concept #
    
    GET /api/v1/proxy?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
    Host: mailpit.target.com
    
    
    
    Solution #
    
    Upgrade to Mailpit version 1.28.1 or later, which includes proper URL validation for the proxy endpoint.
    
    
    References #
    
        GitHub Advisory
        Mailpit Release Notes
    
    Timeline:
    
        [2026-01-06] - Discovered
        [2026-01-07] - Reported
        [2026-01-08] - Fixed
    
    Credits: Omar Kurt