Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext credential exposure via API response
Action: Patch immediately
AI Analysis

Impact

Bulwark Webmail inadvertently returned the user’s plaintext password in the JSON payload from the GET /api/auth/session endpoint. This flaw, a Classic CWE-312 weakness, allows anyone who can observe the response—through browser logs, local caches, or network proxies—to capture valid login credentials without additional attack steps.

Affected Systems

Any Bulwark Webmail deployment running a version before 1.4.10 is affected regardless of its hosting environment or network configuration. The vulnerability is linked to the authentication data returned by the web interface and therefore applies to all users of the affected service.

Risk and Exploitability

The vulnerability scores a CVSS base of 8.7, indicating a high impact on confidentiality. With an EPSS below 1% and no record in the CISA KEV catalog, exploitation opportunities are currently limited but still possible. An attacker only needs to send a standard HTTP request to the vulnerable API or intercept the traffic; no elevated privileges or code execution are required. Once the plaintext password is retrieved, the attacker can log in to the mail system, potentially access other services tied to the same account, and compromise the user’s overall security posture.

Generated by OpenCVE AI on April 10, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bulwark Webmail to version 1.4.10 or newer to remove the plaintext password from the /api/auth/session response.
  • Confirm that subsequent API responses no longer expose user credentials.
  • Examine browser logs, local caches, and network captures for evidence of exposed passwords and require impacted users to reset passwords.

Generated by OpenCVE AI on April 10, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.
Title Bulwark Webmail: Information Exposure: password returned in /api/auth/session
Weaknesses CWE-312
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:40:57.901Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34833

cve-icon Vulnrichment

Updated: 2026-04-03T15:40:53.085Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:27.423

Modified: 2026-04-09T21:13:42.907

Link: CVE-2026-34833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:43Z

Weaknesses