Auth bypass in Bulwarkmail Webmail

CVE-2026-34834

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers…

Vulnerability class: Broken Authentication

EPSS: 0.001 (31.9th percentile) — read the EPSS interpretation.

Affected products

Bulwarkmail Webmail — versions < 1.4.10

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh (x_refsource_CONFIRM)
https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 (x_refsource_MISC)