HTTP Request Smuggling Vulnerability in Pony Mail by Apache
CVE-2026-41873

Currently unrated

Key Information:

Vendor: Apache
Status: Pony Mail
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-41873?

The Horse Mail project, specifically its Lua implementation, contains a vulnerability that allows for inconsistent interpretation of HTTP requests, potentially leading to unauthorized admin account access. Due to the retirement of the Lua implementation, users are advised to either restrict access to the instance or migrate to alternative solutions, as future fixes for this vulnerability will not be provided.

Affected Version(s)

Pony Mail 0

References

https://lists.apache.org/thread/1c7jtxjobh280kqc13fzw1cg5...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

Tevel Sho of STAR Labs SG Pte. Ltd

CVE-2026-41873 Data

JSON