Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Rate-limit bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Bulwark Webmail's getClientIP() function, which incorrectly trusts the leftmost entry of the X‑Forwarded‑For header supplied by the client. Because that header is fully under the attacker's control, it can be manipulated to masquerade as any IP address. This permits bypassing IP‑based rate limits that protect the administrative login, enabling brute‑force attempts, and also allows forging entries in audit logs so that malicious activity appears to originate from an arbitrary IP. The weakness falls under a trust boundary error (CWE‑348).

Affected Systems

Bulwark Mail Server's self‑hosted webmail client, Bulwark Webmail, is affected. The vulnerability exists in all releases prior to version 1.4.11. Users running Bulwark Webmail before that update are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Although the EPSS score is not available, the flaw can be exploited by any client who can reach the web application, without authentication, by sending a crafted request containing a forged X‑Forwarded‑For header. Because the header is normally processed by gateways or proxies, the attack vector is typically an externally reachable web server. The vulnerability is not listed in CISA’s KEV catalog, but its impact on authentication and audit integrity makes it a serious threat to exposed deployments.

Generated by OpenCVE AI on April 7, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bulwark Webmail to version 1.4.11 or later.
  • Verify that getClientIP() no longer trusts client-supplied X-Forwarded-For headers.
  • Ensure reverse proxies strip or limit X-Forwarded-For headers before reaching the application.
  • Monitor administrative login attempts and audit logs for abnormal activity.

Generated by OpenCVE AI on April 7, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bulwarkmail
Bulwarkmail webmail
Vendors & Products Bulwarkmail
Bulwarkmail webmail

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.
Title Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery
Weaknesses CWE-348
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bulwarkmail Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:09:49.591Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35391

cve-icon Vulnrichment

Updated: 2026-04-07T14:55:31.436Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T21:16:20.867

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:13Z

Weaknesses