This vulnerability arises from the getClientIP() function incorrectly trusting the first leftmost entry of the X-Forwarded-For header, which an attacker can control. By forging this value, an attacker can spoof their IP address, causing the system to treat the request as originating from a different IP. This defeats IP‑based rate limiting, allowing brute‑force attempts on the admin login, and allows forging audit log entries so malicious activity appears to come from arbitrary addresses. The weakness is a classic case of improper input validation, mapped to CWE-348.

The issue affects the self‑hosted Bulwark Webmail client, specifically versions prior to 1.4.11. All deployments of bulwarkmail:webmail using earlier releases are vulnerable until they update to the fixed release. The product is hosted on the Stalwart Mail Server environment but the attacker only needs control of the HTTP client to influence the header.

The CVSS score of 8.7 indicates a high severity, and the EPSS score of less than 1% suggests that the vulnerability has not been widely exploited yet, though it is not listed in the CISA KEV catalog. Exploitation requires only the ability to send HTTP requests with a crafted X-Forwarded-For header; no additional credentials or privileged access are needed. The likely attack vector is via crafted HTTP requests to the webmail interface, as the vulnerability is triggered by a client‑controlled header. If the application is exposed to the internet or behind an untrusted proxy, the vulnerability is practically exploitable, enabling widespread brute‑force and log‑forgery attacks.