CVE-2026-35389
Received Received - Intake

S/MIME Verification Bypass in Bulwark Webmail Before

Vulnerability report for CVE-2026-35389, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bulwarkmail webmail to 1.4.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Bulwark Webmail to version 1.4.11 or later, where the S/MIME signature verification properly validates the certificate trust chain.

Impact Analysis

The vulnerability can lead to a false sense of security by showing untrusted or malicious emails as having valid S/MIME signatures. This can result in users trusting and acting on fraudulent emails, potentially leading to phishing attacks, data breaches, or unauthorized actions based on spoofed communications.

Executive Summary

This vulnerability affects Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. Before version 1.4.11, the software did not properly validate the certificate trust chain during S/MIME signature verification. Specifically, the checkChain parameter was set to false, meaning that emails signed with self-signed or untrusted certificates were incorrectly displayed as having valid signatures.

This flaw allows attackers to spoof email signatures, making malicious or untrusted emails appear as if they were legitimately signed and trusted.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart