CVE-2026-27808
Published: 26 February 2026
Summary
CVE-2026-27808 is a medium-severity SSRF (CWE-918) vulnerability in Axllent Mailpit. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public-facing Mailpit API/SMTP enables T1190 initial exploitation; returned status codes from arbitrary internal URLs directly facilitate T1018 remote system discovery and T1046 network service discovery via HEAD requests to private IPs/ports.
NVD Description
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without…
more
validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.
Deeper analysisAI
Mailpit, an email testing tool and API for developers, is affected by CVE-2026-27808, a Server-Side Request Forgery (SSRF) vulnerability in the Link Check API endpoint (/api/v1/message/{ID}/link-check) prior to version 1.29.2. The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. This results in a non-blind SSRF, as the response includes status codes and status text per link, classified under CWE-918 with a CVSS v3.1 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
Remote attackers can exploit this vulnerability in the default configuration, which lacks authentication on SMTP or API endpoints, requiring zero user interaction. By sending an email containing arbitrary URLs to Mailpit and triggering the Link Check API, attackers force the server to issue requests to attacker-controlled hosts, including private or internal IP addresses. Attackers receive feedback on these requests via the returned status information, enabling reconnaissance or access to internal resources with low confidentiality impact.
Version 1.29.2 addresses this vulnerability. Security advisories recommend updating to this version or later for mitigation. Details are provided in the GitHub security advisory GHSA-mpf7-p9x7-96r3, release notes at https://github.com/axllent/mailpit/releases/tag/v1.29.2, and the fixing commit at https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5.
This SSRF vulnerability shares the same class as prior issues fixed in Mailpit's HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in those patches. The CVE was published on 2026-02-26.
Details
- CWE(s)