CVE-2026-34834
Authentication Bypass in Bulwark Webmail Allows Settings Modification
Publication date: 2026-04-02
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bulwarkmail | webmail | to 1.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34834 is a high-severity authentication bypass vulnerability in the verifyIdentity() function of Bulwark Webmail versions prior to 1.4.10.
The vulnerability occurs because the verifyIdentity() function contained fallback logic that returned true if no session cookies were present, allowing unauthenticated attackers to bypass security checks.
This flaw enables attackers to access and modify user settings via the /api/settings endpoint by providing arbitrary headers without needing valid session cookies.
The issue was patched in version 1.4.10 by removing the fallback condition that allowed this bypass.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to bypass authentication and access or modify user settings, which can lead to unauthorized access to sensitive user data.
Such unauthorized access and modification of user data can result in non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of user data, potentially leading to violations of these regulations.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to user settings.
Attackers can modify user settings via the /api/settings endpoint, potentially leading to unauthorized changes that could compromise user accounts or system behavior.
Because no valid session cookies are required, the risk of exploitation is high, making it critical to upgrade to the patched version or disable Settings Sync as a workaround.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if unauthorized access to the /api/settings endpoint is possible without valid session cookies.
One way to test this is to send HTTP requests to the /api/settings endpoint without any session cookies but with arbitrary headers and observe if the server allows access or modification of user settings.
For example, you can use curl commands like the following to test for the vulnerability:
- curl -X GET https://your-bulwark-webmail-domain/api/settings -H "Some-Header: arbitrary-value" --cookie "" -v
- curl -X POST https://your-bulwark-webmail-domain/api/settings -H "Content-Type: application/json" -H "Some-Header: arbitrary-value" --cookie "" -d '{"setting":"value"}' -v
If these requests succeed without valid session cookies, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Bulwark Webmail to version 1.4.10 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, users are advised to disable the Settings Sync feature as a temporary workaround to prevent exploitation.