{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34833", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T19:11:39.303Z", "dateUpdated": "2026-04-03T15:40:57.901Z"}, "containers": {"cna": {"title": "Bulwark Webmail: Information Exposure: password returned in /api/auth/session", "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r"}, {"name": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10"}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"version": "< 1.4.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:11:39.303Z"}, "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10."}], "source": {"advisory": "GHSA-47pm-883h-885r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:40:47.651827Z", "id": "CVE-2026-34833", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:40:57.901Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:40:47.651827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:40:53.085Z"}}], "cna": {"title": "Bulwark Webmail: Information Exposure: password returned in /api/auth/session", "source": {"advisory": "GHSA-47pm-883h-885r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"status": "affected", "version": "< 1.4.10"}]}], "references": [{"url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r", "name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "name": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:11:39.303Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34833", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:40:57.901Z", "dateReserved": "2026-03-30T20:52:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:11:39.303Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10."}], "id": "CVE-2026-34833", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:27.423", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10"}, {"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webmail", "source": "cna", "vendor": "bulwarkmail"}, "product": "webmail", "vendor": "bulwarkmail"}], "analysis": {"en": {"generated_at": "2026-04-02T22:49:18.121183+00:00", "value": {"mitigation_remediation": ["Upgrade Bulwark Webmail to version 1.4.10 or newer.", "Verify that the /api/auth/session response no longer contains plaintext passwords.", "Audit browser and server logs for any recorded credentials and delete them if found.", "If an upgrade cannot be applied immediately, consider temporarily disabling or restricting access to the /api/auth/session endpoint."], "summary": {"action": "Patch", "impact": "Credential Exposure"}, "threat_synthesis": {"affected_systems": "All Bulwark Webmail installations whose webmail component version is older than 1.4.10 are affected. The product is a self\u2011hosted webmail client for the Stalwart Mail Server, provided by Bulwarkmail. No other vendor or product versions are listed beyond the specified threshold.", "description_and_impact": "The vulnerability lies in the Bulwark Webmail GET /api/auth/session endpoint, which returned the authenticated user's plaintext password in the JSON payload. This disclosed credentials to anyone who could observe the response, such as in browser logs, local caches, or through a network proxy. The flaw is a classic example of transmission of sensitive information in an insecure manner (CWE\u2011312) and can compromise user confidentiality.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates a high severity risk. Although EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, the potential for credential compromise remains significant. An attacker would need to reach the /api/auth/session endpoint, which is typically accessible only to authenticated sessions; once reached, the plaintext password is exposed, allowing theft of user credentials. The risk is higher if the endpoint is exposed to external users or if clients store or log responses."}}}}, "created": "2026-04-03T07:31:28.367797+00:00", "updated": "2026-04-03T09:16:24.041824+00:00", "vendors": ["bulwarkmail", "bulwarkmail$PRODUCT$webmail"]}