Cyber Resilience

CVE-2026-27808

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Score 0.0047 36.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-27808 is a medium-severity SSRF (CWE-918) vulnerability in Axllent Mailpit. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Mailpit, an email testing tool and API for developers, is affected by CVE-2026-27808, a Server-Side Request Forgery (SSRF) vulnerability in the Link Check API endpoint (/api/v1/message/{ID}/link-check) prior to version 1.29.2. The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. This results in a non-blind SSRF, as the response includes status codes and status text per link, classified under CWE-918 with a CVSS v3.1 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

Remote attackers can exploit this vulnerability in the default configuration, which lacks authentication on SMTP or API endpoints, requiring zero user interaction. By sending an email containing arbitrary URLs to Mailpit and triggering the Link Check API, attackers force the server to issue requests to attacker-controlled hosts, including private or internal IP addresses. Attackers receive feedback on these requests via the returned status information, enabling reconnaissance or access to internal resources with low confidentiality impact.

Version 1.29.2 addresses this vulnerability. Security advisories recommend updating to this version or later for mitigation. Details are provided in the GitHub security advisory GHSA-mpf7-p9x7-96r3, release notes at https://github.com/axllent/mailpit/releases/tag/v1.29.2, and the fixing commit at https://github.com/axllent/mailpit/commit/10ad4df8cc0cd9e51dea1b4410009545eef7fbf5.

This SSRF vulnerability shares the same class as prior issues fixed in Mailpit's HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in those patches. The CVE was published on 2026-02-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without…

more

validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction. This is the same class of vulnerability that was fixed in the HTML Check API (CVE-2026-23845 / GHSA-6jxm-fv7w-rw5j) and the screenshot proxy (CVE-2026-21859 / GHSA-8v65-47jx-7mfr), but the Link Check code path was not included in either fix. Version 1.29.2 fixes this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in unauthenticated public-facing Mailpit API/SMTP enables T1190 initial exploitation; returned status codes from arbitrary internal URLs directly facilitate T1018 remote system discovery and T1046 network service discovery via HEAD requests to private IPs/ports.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23845Same product: Axllent Mailpit
CVE-2026-33321Shared CWE-918
CVE-2024-13923Shared CWE-918
CVE-2026-7049Shared CWE-918
CVE-2026-32019Shared CWE-918
CVE-2026-3052Shared CWE-918
CVE-2025-1833Shared CWE-918
CVE-2026-4200Shared CWE-918
CVE-2026-27696Shared CWE-918
CVE-2026-33399Shared CWE-918

Affected Assets

axllent
mailpit
≤ 1.29.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URLs supplied to the Link Check API so that only permitted external hosts are accepted before any outbound HEAD request is issued.

prevent

Enforces information-flow policy that prohibits requests to internal or private IP ranges, blocking the SSRF path used by the vulnerable endpoint.

prevent

Boundary-protection mechanisms can be configured to filter or deny outbound connections to non-approved destinations, limiting the SSRF exposure in the default unauthenticated deployment.

References