Summary
UNSUPPORTED WHEN ASSIGNED: An HTTP request smuggling flaw in the Lua implementation of Apache Pony Mail lets an attacker desynchronize request parsing between intermediaries and the app. By smuggling a hidden request, the attacker can reach admin-only functionality and take over an admin account. Public guidance says the Python Pony Mail Foal rewrite is not affected and that no fix will be released for the retired Lua codebase.
Why Fix Soon?
5/6Exploitation Details
Take over an admin account
Account TakeoverAffected Software
| Product | Affected Versions |
|---|---|
| Apache Pony Mail | all versions of the Lua implementation |
A web-based mail-archiving, archive-viewing, and interaction service for mailing lists, with optional OAuth-based access and Apache HTTPd/mod_lua delivery.
Affected ComponentHTTP request parsing and request-boundary handling in the Lua web front end / request handler.
HTTP request parsing and request-boundary handling in the Lua web front end / request handler.
Affected Endpoints(3)/api/preferences.lua, /api/email.lua…
Restrict access to trusted users and tightly limit network exposure for the retired Lua implementation.
Restrict access to trusted users and tightly limit network exposure for the retired Lua implementation.
Not available
Not available
No known threat actors
No detection rules available
NVD Data
Description Summary
CVSS Base Score
CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Software (CPE) (1)
- •cpe:2.3:a:apache:pony_mail:*:*:*:*:*:*:*:*
Sources
| Source | Article |
|---|---|
| vuln.today | Vulnerability Intelligence — April 28, 2026 |
| ponymail.apache.org | Apache Pony Mail (Incubating) - Downloads |
| ponymail.apache.org | Apache Pony Mail (Incubating) - Installing |
| ponymail.apache.org | Apache Pony Mail (Incubating) - API |
| cwiki.apache.org | Pony Mail Proposal |
Priority History
Initial analysis