Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

Affected Products

Vendor	Product	Versions
bulwarkmail	webmail	< 1.4.10

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh(x_refsource_CONFIRM)
https://github.com/bulwarkmail/webmail/releases/tag/1.4.10(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-34834 | bulwarkmail webmail up to 1.4.9 Setting verifyIdentity improper authentication (GHSA-4356-876g-rfmh)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.4.10

CWECWE-287

PublishedApr 2, 2026

Last enriched4d agov2

Trending Score17

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (1)

Version History

Last enriched 4d ago

v2Tier C4d ago

Updated severity to CRITICAL, added CVE-2026-34834, and specified patch available in version 1.4.10.

descriptionseveritypatchAvailable

via VulDB

v14d ago

Initial creation