CVE-2026-41873
Undergoing Analysis Undergoing Analysis - In Progress
HTTP Request Smuggling in Pony Mail Lua Enables Admin Takeover

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: Apache Software Foundation

Description
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-41873
EUVD
EUVD-2026-26065
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache pony_mail *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The CVE description does not provide specific information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability is an Inconsistent Interpretation of HTTP Requests, also known as HTTP Request/Response Smuggling, found in the Lua implementation of Pony Mail. It allows an attacker to exploit how HTTP requests are processed inconsistently, which can lead to unauthorized actions such as taking over an admin account.

The issue affects all versions of the Lua implementation of Pony Mail, which is now retired and unsupported. A Python implementation called Pony Mail Foal is under development and is not affected.


How can this vulnerability impact me? :

This vulnerability can lead to an attacker taking over an administrator account in the affected Pony Mail system. Such a compromise could allow unauthorized access to sensitive information, manipulation of mail data, or control over the mail system.

Since the Lua implementation is no longer supported and no fixes will be released, users are advised to either restrict access to trusted users or migrate to alternative solutions.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability affects all versions of the Lua implementation of Pony Mail, which is no longer supported by the maintainer.

Immediate mitigation steps include restricting access to the affected Pony Mail instance to trusted users only.

Users are recommended to find an alternative solution, as no fixed version will be released.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart