PT-2026-30729 · Unknown · Stalwart Mail Server+1
Richardweinberger
·
Published
2026-04-06
·
Updated
2026-04-06
·
CVE-2026-35391
CVSS v4.0
8.7
High
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Bulwark Webmail versions prior to 1.4.11
Description
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, is affected by an issue where the
getClientIP() function in lib/admin/session.ts incorrectly trusts the first entry in the X-Forwarded-For header. This allows attackers to forge their source IP address, potentially bypassing IP-based rate limiting and forging audit log entries. The X-Forwarded-For header is fully controlled by the client.Recommendations
Update to Bulwark Webmail version 1.4.11 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bulwark Webmail
Stalwart Mail Server