HIGH🇬🇧 English

CVE-2026-35391

CVSS 8.7v4.0pub. 2026-04-06upd. 2026-04-09

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Bulwarkmail Webmail

    APP
    Bulwarkmail
    < 1.4.11
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-35389HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature ve...

CVE-2026-34833HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /ap...

CVE-2026-34834HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyI...

CVE-2026-35390MEDIUM5.3ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (...