CVE-2026-34833

HIGH

Bulwark Webmail: Information Exposure: password returned in /api/auth/session

Title source: cna

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.

References (2)

[X_Refsource_Confirm] https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r

[X_Refsource_Misc] https://github.com/bulwarkmail/webmail/releases/tag/1.4.10

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-312

Status published

Products (1)

bulwarkmail/webmail < 1.4.10 (2 CPE variants)

Published Apr 02, 2026

Tracked Since Apr 03, 2026