Vulnerability in Bulwarkmail Webmail

CVE-2026-34833

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to brows…

EPSS: 0.000 (5.6th percentile) — read the EPSS interpretation.

Affected products

Bulwarkmail Webmail — versions < 1.4.10

Weakness classification (CWE)

CWE-312 — Cleartext Storage of Sensitive Information

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r (x_refsource_CONFIRM)
https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 (x_refsource_MISC)