5 matches found
CVE-2026-34834
Bulwark Webmail (self-hosted webmail client for Stalwart Mail Server) had an authentication bypass in verifyIdentity() before version 1.4.10 due to missing session cookie validation. The logic returned true when no session cookies were present, allowing unauthenticated attackers to bypass securit...
CVE-2026-34833
Bulwark Webmail (self-hosted for Stalwart Mail Server) exposed plaintext user passwords in the GET /api/auth/session response prior to version 1.4.10. The vulnerability allowed credentials to appear in browser logs, local caches, and network proxies. The issue is fixed in version 1.4.10. No explo...
CVE-2026-35389
CVE-2026-35389 affects Bulwark Webmail (self-hosted client for Stalwart Mail Server). Before version 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false), causing emails signed with self-signed or untrusted certificates to appear as having a valid...
CVE-2026-35391
CVE-2026-35391 affects Bulwark Webmail (lib/admin/session.ts getClientIP) prior to version 1.4.11. The function trusts the first (leftmost) entry of the X-Forwarded-For header, which is client-controlled. This allows an attacker to forge their source IP to bypass IP-based rate limiting (facilitat...
CVE-2026-35390
This CVE concerns Bulwark Webmail (self-hosted for Stalwart Mail Server). Before 1.4.11, the reverse proxy (proxy.ts) sent Content-Security-Policy-Report-Only instead of the enforcing Content-Security-Policy, causing XSS protections to log but not block. As a result, an attacker able to inject sc...