CVE-2026-41873

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 35.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under…

development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits use of the retired and unsupported Lua implementation of Pony Mail, directly implementing the advisory's recommendation to migrate or replace the vulnerable software.

SI-2 Flaw Remediation partial match

preventrecover

Requires timely identification, reporting, and correction of flaws like this HTTP smuggling vulnerability, necessitating replacement of the unpatchable Pony Mail instance.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection with mechanisms like WAFs to monitor, filter, and block HTTP request smuggling attempts against the publicly accessible Pony Mail web application.

Security SummaryAI

CVE-2026-41873 is an Inconsistent Interpretation of HTTP Requests vulnerability, classified as HTTP Request/Response Smuggling (CWE-444), affecting all versions of the Lua implementation of Pony Mail. This flaw enables admin account takeover and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The Python implementation, known as Pony Mail Foal, is not affected but remains under development and unreleased.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows full administrative account takeover, granting high levels of confidentiality, integrity, and availability impact on the affected Pony Mail instance.

Advisories note that the Lua implementation of Pony Mail is retired and unsupported, with no planned patches or fixes. Mitigation recommendations include migrating to an alternative solution or restricting access to the instance solely to trusted users. Details are available in the Apache mailing list thread and OSS-Security announcement.

Details

CWE(s): CWE-444

Affected Products

apache

pony mail

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an HTTP Request/Response Smuggling flaw in a public-facing web application (Pony Mail), enabling remote, unauthenticated admin account takeover, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg57xrz951
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/28/17
af854a3a-2127-422b-91ae-364da2661108