Bulwark Webmail: Information Exposure: password returned in /api/auth/session_CVE-2026-34833

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.

Basic Information

ID CVE-2026-34833

Source GitHub_M

Published Apr 2, 2026 at 19:11

Modified Apr 3, 2026 at 15:40

Affected Product

Vendor bulwarkmail

Product webmail

Version < 1.4.10

Affected Versions bulwarkmail webmail < 1.4.10

CWE Classification

CWE-312

References

{
    "lastseen": "",
    "description": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.",
    "published": "2026-04-02T19:11:39.303Z",
    "modified": "2026-04-03T15:40:57.901Z",
    "type": "cve",
    "title": "Bulwark Webmail: Information Exposure: password returned in /api/auth/session",
    "source": "GitHub_M",
    "references": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r\nhttps://github.com/bulwarkmail/webmail/releases/tag/1.4.10",
    "id": "CVE-2026-34833",
    "bulletinFamily": "",
    "cwe": [
        "CWE-312"
    ],
    "cvelist": null,
    "sourceData": "bulwarkmail webmail < 1.4.10",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webmail",
    "version": "< 1.4.10",
    "vendor": "bulwarkmail",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}