Pony Mail admin takeover (CVE-2026-41873)

Patch now - CVE-2026-41873 is a critical HTTP request smuggling vulnerability in Pony Mail (Lua implementation, all versions) that grants unauthenticated attackers admin account takeover. This product is retired and unsupported; no fix will be released.

Overview

CVE-2026-41873 is an HTTP request/response smuggling vulnerability in the Lua implementation of Pony Mail. An attacker sends a specially crafted HTTP request that the front-end and back-end servers interpret differently. This inconsistency lets an attacker poison request queues, bypass authentication, and ultimately seize administrative control of the webmail instance. The vulnerability requires no special privileges or user interaction - it is remotely exploitable over the network (CVSS 9.8, CRITICAL).

The impact is severe: full admin account takeover. Once an attacker gains admin privileges on a Pony Mail server, they can read all mail, modify system configurations, and pivot to connected services. Given the critical CVSS score and the lack of a patch, any exposed instance is at immediate risk of compromise.

Affected Products

• Pony Mail (Lua implementation) - ALL versions. This is the only released version of the product.
• Pony Mail Foal (Python implementation) - NOT affected. However, Foal has not been publicly released and remains in development.

Remediation and Mitigation

No patch available. The Lua implementation of Pony Mail is retired and unsupported. The project maintainer has stated this vulnerability will not be fixed. Users must take the following actions:

1. Immediately migrate to an alternative webmail solution. This is the only complete fix. There is no safe version of the Lua Pony Mail.
2. If migration is not possible, restrict access. Use a firewall or reverse proxy (e.g., nginx, Apache httpd, or a WAF) to limit inbound connections to specific trusted IP addresses only. Do not expose Pony Mail to the public internet.
3. Monitor for unauthorized access. Review server logs for anomalous HTTP requests that may indicate attempted exploitation. Look for request smuggling patterns or unusual admin-level actions.

Organizations still running Pony Mail should treat this as a critical security risk and prioritize replacement. For related threat intelligence, see our breach reports and security news sections.

Security Insight

CVE-2026-41873 is a textbook example of a “silent retirement” vulnerability - the product is abandoned, the vulnerability is known, and no fix will ever arrive. This pattern mirrors past incidents with unsupported PHP applications (e.g., abandoned versions of phpMyAdmin and Drupal) where public disclosure of a flaw forced emergency migrations. The lesson for organizations is clear: any software listed as “UNSUPPORTED WHEN ASSIGNED” in a CVE must be treated as an immediate replacement candidate, not a risk to accept. Running a publicly exposed, unsupported web application is functionally equivalent to accepting zero-day exploitation on every unknown flaw.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs