PT-2026-29880 · Unknown · Bulwark Webmail+1
Richardweinberger
·
Published
2026-04-02
·
Updated
2026-04-03
·
CVE-2026-34834
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Bulwark Webmail versions prior to 1.4.10
Description
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had a security flaw in the
verifyIdentity() function. This function incorrectly returned true when no session cookies were present, allowing unauthenticated attackers to bypass security checks. Attackers could access and modify user settings via the /api/settings endpoint by providing arbitrary headers.Recommendations
Update Bulwark Webmail to version 1.4.10 or later.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bulwark Webmail
Stalwart Mail Server