This release includes an important security fix, so upgrading is strongly recommended.
This security release fixes CVE-2026-27808: users could use the Link Check API to probe internal network IPs/hostnames. The exploit required user access to both the API and the SMTP server, so the risk is limited to users who have publicly-accessible Mailpit instances with no authentication on both the API and SMTP server.
Key change:
- New opt-in flag:
--allow-internal-http-requests(envMP_ALLOW_INTERNAL_HTTP_REQUESTS=true). When enabled, the Link Check API and UI screenshot proxy may access internal-network IPs.
Action required:
- This is potentially breaking for test suites that depend on Link Check probing internal resources - review and update tests as needed.
A huge thanks to the security researcher (@rtvkiz) who reported this issue responsibly.
Changelog:
Security
- Prevent Server-Side Request Forgery (SSRF) via Link Check API (CVE-2026-27808)
Chore
- Upgrade eslint JavaScript linting
- Update Go dependencies
- Update node dependencies
- Update caniemail test database
Fix
- Update install instructions when setting
INSTALL_PATH - Include
8BITMIMEin SMTPDEHLOresponse (#648)