CVE-2026-35389
Received Received - Intake
S/MIME Verification Bypass in Bulwark Webmail Before

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35389
EUVD
EUVD-2026-19478
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bulwarkmail webmail to 1.4.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Bulwark Webmail to version 1.4.11 or later, where the S/MIME signature verification properly validates the certificate trust chain.

Impact Analysis

The vulnerability can lead to a false sense of security by showing untrusted or malicious emails as having valid S/MIME signatures. This can result in users trusting and acting on fraudulent emails, potentially leading to phishing attacks, data breaches, or unauthorized actions based on spoofed communications.

Executive Summary

This vulnerability affects Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. Before version 1.4.11, the software did not properly validate the certificate trust chain during S/MIME signature verification. Specifically, the checkChain parameter was set to false, meaning that emails signed with self-signed or untrusted certificates were incorrectly displayed as having valid signatures.

This flaw allows attackers to spoof email signatures, making malicious or untrusted emails appear as if they were legitimately signed and trusted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart