(CVE-2026-41873) Apache Pony Mail CRLF Injection and SSRF Leading to Full Account Takeover
Star Labs details CVE-2026-41873 in the retired Lua version of Apache Pony Mail, where CRLF injection in email.lua can be abused to smuggle arbitrary HTTP requests to the backend Elasticsearch service. Because Pony Mail relies on Elasticsearch for application data, the bug lets an unauthenticated attacker interact with internal-only endpoints and ultimately seize any user account, including administrators. The write-up also shows a related blind SSRF primitive in Pony Mail Foal’s OAuth flow, where a user-controlled oauth_token URL triggers server-side requests and follows redirects, enabling crafted GETs to Elasticsearch _sql endpoints. By distinguishing JSON responses from text/html parsing failures in the OAuth handler, an attacker can infer session values character by character and turn internal request access into full account takeover; no fix is planned because the project is retired.