CVE-2026-34834

HIGH

Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation

Title source: cna

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

References (2)

[X_Refsource_Confirm] https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh

[X_Refsource_Misc] https://github.com/bulwarkmail/webmail/releases/tag/1.4.10

Scores

CVSS v3 7.5

EPSS 0.0009

EPSS Percentile 25.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-287

Status published

Products (1)

bulwarkmail/webmail < 1.4.10 (2 CPE variants)

Published Apr 02, 2026

Tracked Since Apr 03, 2026