CVE-2026-34834 HIGH

CVE-2026-34834: Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation

Vendor Bulwarkmail
Product webmail
Weakness CWE-287 · Improper authentication
Published April 2, 2026
Last update April 3, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 3, 2026 Record updated

Related vulnerabilities

04Related CVE