Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

Basic Information

ID CVE-2026-34834

Source GitHub_M

Published Apr 2, 2026 at 19:11

Modified Apr 3, 2026 at 18:11

Affected Product

Vendor bulwarkmail

Product webmail

Version < 1.4.10

Affected Versions bulwarkmail webmail < 1.4.10

CWE Classification

CWE-287

References

{
    "lastseen": "",
    "description": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.",
    "published": "2026-04-02T19:11:54.448Z",
    "modified": "2026-04-03T18:11:56.037Z",
    "type": "cve",
    "title": "Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation",
    "source": "GitHub_M",
    "references": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh\nhttps://github.com/bulwarkmail/webmail/releases/tag/1.4.10",
    "id": "CVE-2026-34834",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "bulwarkmail webmail < 1.4.10",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webmail",
    "version": "< 1.4.10",
    "vendor": "bulwarkmail",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation_CVE-2026-34834