Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

Bulwark Webmail accepted S/MIME signatures that used self‑signed or otherwise untrusted certificates because the signature verification process did not validate the certificate trust chain. This allows an attacker to sign a message with a certificate that the system will treat as trusted, giving the appearance of a legitimate signed email while enabling forging of otherwise authenticated messages. The weakness is recognized as improper certificate validation, which can be exploited to compromise the perceived integrity of email communications.

Affected Systems

The affected product is Bulwark Webmail, a self‑hosted client for the Stalwart Mail Server. Versions prior to 1.4.11 are vulnerable, meaning any installation running 1.4.10 or earlier will accept untrusted signatures.

Risk and Exploitability

A CVSS score of 8.7 indicates high severity. No EPSS score is available, but the lack of trust chain validation suggests the flaw can be readily exploited by a remote attacker sending crafted messages. The vulnerability is not yet listed in the CISA KEV catalog, but its nature and severity make it a priority for patching. A likely attack vector is the injection of malicious signed emails, either unsolicited phishing attempts or legitimate-looking internal communications.

Generated by OpenCVE AI on April 7, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bulwark Webmail to version 1.4.11 or newer.

Generated by OpenCVE AI on April 7, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
Title Bulwark Webmail S/MIME signature verification accepted self-signed certificates
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:19:51.168Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35389

cve-icon Vulnrichment

Updated: 2026-04-07T16:19:46.621Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:20.580

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:16Z

Weaknesses