Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Forged signatures
Action: Patch
AI Analysis

Impact

Bulwark Webmail does not validate the S/MIME certificate chain during signature verification, allowing messages signed with self‑signed or untrusted certificates to appear as authentic. This enables attackers to forge email signatures, potentially allowing phishing, disinformation or credential theft attacks against users who trust the signature. The weakness aligns with CWE‑295 and can compromise email integrity.

Affected Systems

Vendors: Bulwark Webmail. Product: Bulwark Webmail, a self‑hosted webmail client for the Stalwart Mail Server. Versions prior to 1.4.11 are affected; the vulnerability is fixed in 1.4.11.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV database. An attacker would need only the ability to send a signed email that uses a self‑signed certificate; if the target trusts the signature, the attacker can bypass email authenticity checks. Because the vulnerability is easy to exploit and can lead to widespread deception, administrators should treat it as high risk.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Bulwark Webmail to version 1.4.11 or later.
  • Confirm that the webmail client is running the patched version.
  • Review S/MIME settings to ensure certificate chain validation is enforced, and verify that email signatures display correctly after the update.

Generated by OpenCVE AI on April 9, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
Title Bulwark Webmail S/MIME signature verification accepted self-signed certificates
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:19:51.168Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35389

cve-icon Vulnrichment

Updated: 2026-04-07T16:19:46.621Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T21:16:20.580

Modified: 2026-04-09T20:58:45.777

Link: CVE-2026-35389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:08Z

Weaknesses