PT-2026-29879 · Unknown · Bulwark Webmail+1
Richardweinberger
·
Published
2026-04-02
·
Updated
2026-04-03
·
CVE-2026-34833
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Bulwark Webmail versions prior to 1.4.10
Description
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, previously included a user's plaintext password in the JSON response when accessing the
/api/auth/session endpoint. This exposed credentials to browser logs, local caches, and network proxies.Recommendations
Update Bulwark Webmail to version 1.4.10 or later.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bulwark Webmail
Stalwart Mail Server