CVE-2026-34834

Source
https://cve.org/CVERecord?id=CVE-2026-34834
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34834.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34834
Aliases
  • GHSA-4356-876g-rfmh
Published
2026-04-02T19:11:54.448Z
Modified
2026-07-15T01:49:17.981912348Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation
Details

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34834.json",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/bulwarkmail/webmail

Affected ranges

Type
GIT
Repo
https://github.com/bulwarkmail/webmail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.10"
        }
    ]
}

Affected versions

1.*
1.3.0
1.3.9
1.4.0
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34834.json"