Mailpit SSRF Vulnerability Exploited in Targeted Attacks

 The CrowdSec Network reports active exploitation of a Server-Side Request Forgery (SSRF) vulnerability in Mailpit, a widely used email testing tool and API for developers.

Attacks were detected starting on February 11, 2026, noting that threat actors are using intelligence-driven reconnaissance instead of broad scanning. Over 130 malicious IP addresses have been linked to these attempts, which target the core infrastructure of development and testing environments. 

The vulnerability is tracked as CVE-2026-21859 (CVSS score 5.8) - a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint that fails to validate destination IP addresses. Attackers send crafted HTTP GET requests with a url parameter to force the server to connect to internal resources like 127.0.0.1 or cloud metadata services at 169.254.169.254. This bypasses perimeter defenses because the application executes the request on behalf of the attacker, returning responses from services that are not publicly accessible. 

Attackers can access internal API data, database paths, and runtime statistics, or even read captured emails stored within the platform. In cloud-hosted environments, this flaw allows the theft of instance metadata, which often contains temporary credentials or sensitive environment variables. 

This vulnerability affects all versions of Mailpit up to and including 1.28.0. CrowdSec's analysis suggests that the window for patching is narrowing as more actors integrate the exploit into their automated toolkits.

Organizations should immediately upgrade to Mailpit version 1.28.1. If an immediate update is not possible, administrators must protect the web UI and API with basic authentication to prevent unauthorized access to the /proxy endpoint. Additionally, ensure that development tools are isolated within secure intranets and are not reachable from the public internet.