Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

Affected Products

Vendor	Product	Versions
bulwarkmail	webmail	< 1.4.11, 1.4.10

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-35391 | bulwarkmail webmail up to 1.4.10 X-Forwarded-For lib/admin/session.ts getClientIP less trusted source

→ No new info (linked only)

CVSS 3.10.0 HIGH

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.4.11

CWECWE-348

PublishedApr 6, 2026

Last enriched6h agov2

Trending Score27

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated affected versions to include 1.4.10, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseveritycvssEstimatepatchAvailable

via VulDB

v16h ago

Initial creation

Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History