starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity
5 releases 187 tags
  • v1.29.2 dc3e7e701f

    v1.29.2 Stable

    kerem released this 2026-02-25 02:28:48 +03:00 | 66 commits to develop since this release

    📅 Originally published on GitHub: Tue, 24 Feb 2026 23:31:43 GMT
    🏷️ Git tag created: Tue, 24 Feb 2026 23:28:48 GMT

    This release includes an important security fix, so upgrading is strongly recommended.

    This security release fixes CVE-2026-27808: users could use the Link Check API to probe internal network IPs/hostnames. The exploit required user access to both the API and the SMTP server, so the risk is limited to users who have publicly-accessible Mailpit instances with no authentication on both the API and SMTP server.

    Key change:

    • New opt-in flag: --allow-internal-http-requests (env MP_ALLOW_INTERNAL_HTTP_REQUESTS=true). When enabled, the Link Check API and UI screenshot proxy may access internal-network IPs.

    Action required:

    • This is potentially breaking for test suites that depend on Link Check probing internal resources - review and update tests as needed.

    A huge thanks to the security researcher (@rtvkiz) who reported this issue responsibly.

    Changelog:

    Security

    • Prevent Server-Side Request Forgery (SSRF) via Link Check API (CVE-2026-27808)

    Chore

    • Upgrade eslint JavaScript linting
    • Update Go dependencies
    • Update node dependencies
    • Update caniemail test database

    Fix

    • Update install instructions when setting INSTALL_PATH
    • Include 8BITMIME in SMTPD EHLO response (#648)
    Downloads