Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

Basic Information

ID CVE-2026-35391

Source GitHub_M

Published Apr 6, 2026 at 20:17

Modified Apr 7, 2026 at 15:09

Affected Product

Vendor bulwarkmail

Product webmail

Version < 1.4.11

Affected Versions bulwarkmail webmail < 1.4.11

CWE Classification

CWE-348

References

github.com /bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698

{
    "lastseen": "",
    "description": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.",
    "published": "2026-04-06T20:17:39.793Z",
    "modified": "2026-04-07T15:09:49.591Z",
    "type": "cve",
    "title": "Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery",
    "source": "GitHub_M",
    "references": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698",
    "id": "CVE-2026-35391",
    "bulletinFamily": "",
    "cwe": [
        "CWE-348"
    ],
    "cvelist": null,
    "sourceData": "bulwarkmail webmail < 1.4.11",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webmail",
    "version": "< 1.4.11",
    "vendor": "bulwarkmail",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery_CVE-2026-35391