Which versions of Webmail are affected by CVE-2026-34834?

Bulwark Webmail versions before 1.4.10 contain an unauthenticated authentication bypass that allows remote attackers to access and modify user email settings without valid credentials, potentially…. A patch is available.

How to fix or mitigate CVE-2026-34834?

Within 24 hours: Inventory all Bulwark Webmail instances and identify versions prior to 1.4.10; document current patch levels and deployment count. Within 7 days: Apply vendor-released patch upgrading all instances to Bulwark Webmail 1.4.10 or later; validate patch deployment through version verification. Within 30 days: Conduct audit of /api/settings endpoint access logs for the period prior to patching; review for unauthorized user configuration changes and reset credentials for all webmail accounts as precautionary measure.

Webmail CVE-2026-34834

Q: What is the CVSS score of CVE-2026-34834?

CVE-2026-34834 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-18531 HIGH

Improper Authentication (CWE-287)

2026-04-02 GitHub_M

Authentication Bypass Webmail

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:07 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.4.10

EUVD ID Assigned

Apr 02, 2026 - 19:31 euvd

EUVD-2026-18531

Analysis Generated

Apr 02, 2026 - 19:31 vuln.today

CVE Published

Apr 02, 2026 - 19:11 nvd

HIGH 8.7

DescriptionGitHub Advisory

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

AnalysisAI

Unauthenticated authentication bypass in Bulwark Webmail versions prior to 1.4.10 allows remote attackers to access and modify user settings without credentials. The vulnerability stems from flawed verifyIdentity() logic that returns true when session cookies are absent, enabling unauthorized manipulation of the /api/settings endpoint through arbitrary header injection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request to /api/settings endpoint

Delivery

Omit session cookies from request

Exploit

verifyIdentity() returns true due to missing cookies

Execution

Bypass authentication check

Impact

Access and modify user settings