Which versions of Webmail are affected by CVE-2026-35391?

Bulwark Webmail versions before 1.4.11 contain an unauthenticated IP spoofing vulnerability that allows attackers to bypass rate limiting on admin login pages and forge audit logs, directly enabling…. A patch is available.

How to fix or mitigate CVE-2026-35391?

Within 24 hours: Identify all Bulwark Webmail deployments and document current versions. Within 7 days: Upgrade all instances to version 1.4.11 or later per vendor guidance; validate upgrade completion across all systems. Within 30 days: Audit admin login attempts and audit logs for the past 90 days to identify potential unauthorized access or log forgery; review access controls on admin interfaces and consider network-based rate limiting as defense-in-depth.

Webmail CVE-2026-35391

Q: What is the CVSS score of CVE-2026-35391?

CVE-2026-35391 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19480 HIGH

Use of Less Trusted Source (CWE-348)

2026-04-06 GitHub_M

Authentication Bypass Webmail

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:05 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.4.11

EUVD ID Assigned

Apr 06, 2026 - 21:00 euvd

EUVD-2026-19480

Analysis Generated

Apr 06, 2026 - 21:00 vuln.today

CVE Published

Apr 06, 2026 - 20:17 nvd

HIGH 8.7

DescriptionGitHub Advisory

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

AnalysisAI

IP address spoofing in Bulwark Webmail versions prior to 1.4.11 allows unauthenticated remote attackers to bypass IP-based rate limiting and forge audit log entries by manipulating the X-Forwarded-For HTTP header. The vulnerability enables brute-force attacks against admin login interfaces and allows malicious actors to mask their true origin in security logs. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with forged X-Forwarded-For header

Exploit

Bypass IP-based rate limiting on admin login

Execution

Launch brute-force attack against credentials

Impact

Gain administrative access