CVE-2026-35389
S/MIME Verification Bypass in Bulwark Webmail Before
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bulwarkmail | webmail | to 1.4.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to a false sense of security by showing untrusted or malicious emails as having valid S/MIME signatures. This can result in users trusting and acting on fraudulent emails, potentially leading to phishing attacks, data breaches, or unauthorized actions based on spoofed communications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Bulwark Webmail to version 1.4.11 or later, where the S/MIME signature verification properly validates the certificate trust chain.
Can you explain this vulnerability to me?
This vulnerability affects Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. Before version 1.4.11, the software did not properly validate the certificate trust chain during S/MIME signature verification. Specifically, the checkChain parameter was set to false, meaning that emails signed with self-signed or untrusted certificates were incorrectly displayed as having valid signatures.
This flaw allows attackers to spoof email signatures, making malicious or untrusted emails appear as if they were legitimately signed and trusted.