Fix Soon

CVE-2026-41873

Authentication Bypass in Apache Pony Mail
Loading...

Summary

UNSUPPORTED WHEN ASSIGNED: An HTTP request smuggling flaw in the Lua implementation of Apache Pony Mail lets an attacker desynchronize request parsing between intermediaries and the app. By smuggling a hidden request, the attacker can reach admin-only functionality and take over an admin account. Public guidance says the Python Pony Mail Foal rewrite is not affected and that no fix will be released for the retired Lua codebase.

Why Fix Soon?

5/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Take over an admin account

Account Takeover
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends a crafted HTTP request with conflicting framing headers so the front end and backend disagree about where one request ends and the next begins. The hidden request is then processed by Pony Mail as a separate request, allowing the attacker to invoke admin-only actions or hijack an admin session. Success is confirmed when protected account or preference changes occur without the intended authorization context.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Apache
ProductAffected Versions
Apache Pony Mailall versions of the Lua implementation
Description

A web-based mail-archiving, archive-viewing, and interaction service for mailing lists, with optional OAuth-based access and Apache HTTPd/mod_lua delivery.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentHTTP request parsing and request-boundary handling in the Lua web front end / request handler.

HTTP request parsing and request-boundary handling in the Lua web front end / request handler.

Affected Endpoints(3)/api/preferences.lua, /api/email.lua…
1./api/preferences.lua
2./api/email.lua
3./api/atom.lua
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Vendor Notifications
Not available
Remediation
Workaround
Restrict access to trusted users and tightly limit network exposure for the retired Lua implementation.

Restrict access to trusted users and tightly limit network exposure for the retired Lua implementation.

Patch

Not available

Update

Not available

Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-444 HTTP Request/Response Smuggling
||
Version From:
|
Version Upto:

Affected Software (CPE) (1)

  • cpe:2.3:a:apache:pony_mail:*:*:*:*:*:*:*:*

Priority History

Fix SoonLoading...

Initial analysis