PT-2026-30727 · Unknown · Bulwark Webmail+1
Richardweinberger
·
Published
2026-04-06
·
Updated
2026-04-06
·
CVE-2026-35389
CVSS v4.0
8.7
High
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Bulwark Webmail versions prior to 1.4.11
Description
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had an issue in S/MIME signature verification. Before version 1.4.11, the software did not validate the certificate trust chain during signature verification. This meant that emails signed with self-signed or untrusted certificates were incorrectly displayed as having valid signatures.
Recommendations
Update to version 1.4.11 or later.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bulwark Webmail
Stalwart Mail Server