EUVD-2026-18530
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.
Analysis
Bulwark Webmail prior to version 1.4.10 exposes user plaintext passwords through its session API endpoint, allowing network-positioned attackers to harvest credentials from browser logs, local caches, and network proxies. The /api/auth/session endpoint returns authentication credentials in JSON responses without encryption, creating an information disclosure vulnerability (CWE-312: Cleartext Storage of Sensitive Information). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Bulwark Webmail deployments and confirm versions currently in production. Within 7 days: Contact Bulwark vendor for patch availability timeline and interim mitigation guidance; implement network segmentation to restrict API endpoint access to trusted networks only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today