{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34834", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T19:11:54.448Z", "dateUpdated": "2026-04-03T18:11:56.037Z"}, "containers": {"cna": {"title": "Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh"}, {"name": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10"}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"version": "< 1.4.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:11:54.448Z"}, "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10."}], "source": {"advisory": "GHSA-4356-876g-rfmh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T20:18:07.477640Z", "id": "CVE-2026-34834", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:11:56.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34834", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T20:18:07.477640Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T20:18:17.285Z"}}], "cna": {"title": "Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation", "source": {"advisory": "GHSA-4356-876g-rfmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"status": "affected", "version": "< 1.4.10"}]}], "references": [{"url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh", "name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "name": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:11:54.448Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34834", "state": "PUBLISHED", "dateUpdated": "2026-04-03T18:11:56.037Z", "dateReserved": "2026-03-30T20:52:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:11:54.448Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10."}], "id": "CVE-2026-34834", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:27.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10"}, {"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webmail", "source": "cna", "vendor": "bulwarkmail"}, "product": "webmail", "vendor": "bulwarkmail"}], "analysis": {"en": {"generated_at": "2026-04-02T22:19:34.894636+00:00", "value": {"mitigation_remediation": ["Upgrade Bulwark Webmail to version\u202f1.4.10 or newer.", "If upgrade is delayed, restrict unauthenticated access to the /api/settings endpoint using network firewall or application layer rules.", "Verify that the webmail instance detects and rejects requests lacking the required session cookie after patching.", "Monitor logs for failed authentication or unexpected settings changes as a security indicator."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass Leading to Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Bulwarkmail Webmail, a self\u2011hosted client for Stalwart Mail Server. All releases before version\u202f1.4.10 are affected, including 1.4.9 and earlier. Upgrading to 1.4.10 or later resolves the issue.", "description_and_impact": "Bulwark Webmail's verifyIdentity() function incorrectly returned true when no session cookies were present, allowing an attacker to bypass authentication checks. An unauthenticated user could then send requests to the /api/settings endpoint with arbitrary headers, gaining full read and write access to a victim's mail settings. This flaw is an Authentication Bypass (CWE\u2011287) and undermines the confidentiality and integrity of email configuration.", "risk_and_exploitability": "The CVSS score of 8.7 classifies the vulnerability as High. Exploitability is high because no prior authentication is required; an attacker merely needs web access to the application to send crafted requests to /api/settings. The vulnerability is not listed in the CISA KEV catalogue and EPSS data is not available. The likely attack vector is remote, via HTTP(S), and can be performed without any privileged credentials."}}}}, "created": "2026-04-03T07:31:27.328533+00:00", "updated": "2026-04-03T09:16:22.835556+00:00", "vendors": ["bulwarkmail", "bulwarkmail$PRODUCT$webmail"]}