HIGH🇵🇱 Wersja polska

CVE-2026-34834

CVSS 8.7v4.0pub. 2026-04-02upd. 2026-04-09

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Bulwarkmail Webmail

    APP
    Bulwarkmail
    < 1.4.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-35389HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature ve...

CVE-2026-35391HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() f...

CVE-2026-34833HIGH8.7ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /ap...

CVE-2026-35390MEDIUM5.3ten sam produkt

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (...