Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access and privileged configuration changes
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the verifyIdentity() function of Bulwark Webmail. When no session cookies are present, the function returns true, allowing an attacker who is not authenticated to bypass all security checks. This permits the attacker to call the /api/settings endpoint with arbitrary headers and change user settings, effectively taking over account configuration. The weakness is a classic authentication bypass (CWE‑287) that grants unauthorized users control over mail settings.

Affected Systems

Self‑hosted Bulwark Mail Webmail deployments running any version prior to 1.4.10 are affected. The vulnerability exists in the verifyIdentity() path used for all API requests, including the /api/settings endpoint. Users should verify the version they are running and identify any installations older than 1.4.10.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, classifying it as High severity. The EPSS score is less than 1%, indicating a low likelihood of exploitation observed so far, and it is not listed in the CISA KEV catalogue. Exploitation requires only that the attacker can reach the webmail server over the network, and no authentication credentials are needed. Therefore, the attack vector is remote over HTTP/HTTPS, with the attacker able to send arbitrary headers to the API endpoint to obtain configuration privileges.

Generated by OpenCVE AI on April 9, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current Bulwark Webmail version on each host.
  • If the version is older than 1.4.10, upgrade the package or apply the patch from the 1.4.10 release.
  • Restart the Bulwark Webmail service to load the new code.
  • Test the /api/settings endpoint to confirm that authentication is now required.

Generated by OpenCVE AI on April 9, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.
Title Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:11:56.037Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34834

cve-icon Vulnrichment

Updated: 2026-04-02T20:18:17.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:27.983

Modified: 2026-04-09T21:14:04.197

Link: CVE-2026-34834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:42Z

Weaknesses