CVE-2026-35391
Received Received - Intake
IP Spoofing in Bulwark Webmail Enables Admin Brute-Force

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35391
EUVD
EUVD-2026-19480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bulwarkmail webmail to 1.4.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Bulwark Webmail versions prior to 1.4.11, specifically in the getClientIP() function. This function incorrectly trusts the first entry of the X-Forwarded-For header, which is controlled by the client. Because of this, an attacker can forge their source IP address.

By forging the IP address, the attacker can bypass IP-based rate limiting mechanisms designed to prevent brute-force attacks on the admin login. Additionally, the attacker can forge audit log entries, making malicious activities appear to come from arbitrary IP addresses.

This vulnerability was fixed in version 1.4.11 of Bulwark Webmail.

Impact Analysis

This vulnerability can allow an attacker to bypass IP-based rate limiting, enabling brute-force attacks against the admin login of Bulwark Webmail.

Such brute-force attacks could lead to unauthorized access to the admin account, compromising the security of the mail server.

Furthermore, the attacker can forge audit log entries, which can obscure their malicious activities and make it difficult to trace attacks or identify the true source of malicious actions.

Mitigation Strategies

To mitigate this vulnerability, upgrade Bulwark Webmail to version 1.4.11 or later, where the issue with trusting the first entry of the X-Forwarded-For header in the getClientIP() function is fixed.

Compliance Impact

The vulnerability allows an attacker to forge their source IP address in the X-Forwarded-For header, which can be used to bypass IP-based rate limiting and forge audit log entries. This manipulation of audit logs can undermine the integrity and reliability of security monitoring and incident response processes.

Such weaknesses in audit logging and security controls could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require accurate logging and protection against unauthorized access and tampering. However, the provided information does not explicitly state the compliance impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart