Which versions of Webmail are affected by CVE-2026-35389?

Bulwark Webmail versions prior to 1.4.11 contain a critical S/MIME signature verification flaw that allows attackers to forge digitally signed emails appearing legitimate to recipients, compromising…. A patch is available.

How to fix or mitigate CVE-2026-35389?

Within 24 hours: Identify all Bulwark Webmail deployments and document current versions. Within 7 days: Deploy vendor-released patch to version 1.4.11 or later across all affected instances; validate S/MIME signature verification functionality post-patch. Within 30 days: Conduct audit of digitally signed emails received during vulnerable period for authenticity; implement user awareness training on S/MIME verification best practices and manual certificate validation.

Webmail CVE-2026-35389

Q: What is the CVSS score of CVE-2026-35389?

CVE-2026-35389 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19478 HIGH

Improper Certificate Validation (CWE-295)

2026-04-06 GitHub_M

Information Disclosure Webmail

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:05 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.4.11

EUVD ID Assigned

Apr 06, 2026 - 21:00 euvd

EUVD-2026-19478

Analysis Generated

Apr 06, 2026 - 21:00 vuln.today

CVE Published

Apr 06, 2026 - 20:11 nvd

HIGH 8.7

DescriptionGitHub Advisory

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

AnalysisAI

S/MIME signature verification in Bulwark Webmail prior to 1.4.11 fails to validate certificate trust chains, allowing attackers to forge digitally signed emails using self-signed or untrusted certificates that appear legitimate to recipients. This integrity bypass affects all unauthenticated remote attackers (CVSS:4.0 AV:N/AC:L/PR:N) with high integrity impact. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker sends email signed with self-signed certificate

Exploit

Bulwark Webmail displays signature as valid

Execution

User trusts forged sender identity

Impact

Attacker executes phishing or fraud attack