CVE-2026-45711: Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

May 19, 2026

The mailpit dump –http sub-command downloads every message from a remote Mailpit instance and writes each one as .eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated into the output path with path.Join, which silently normalizes .. segments. A malicious HTTP server impersonating Mailpit can therefore make mailpit dump write attacker-controlled bytes to any path the running user can write, fully outside the intended output directory.

References

github.com/advisories/GHSA-qx5x-85p8-vg4j
github.com/axllent/mailpit/releases/tag/v1.30.0
github.com/axllent/mailpit/security/advisories/GHSA-qx5x-85p8-vg4j
nvd.nist.gov/vuln/detail/CVE-2026-45711

Code Behaviors & Features

Detect and mitigate CVE-2026-45711 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →