High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026

CVE-2026-35391

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

Affected products

Bulwarkmail/Webmail
cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*
Range: <1.4.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698nvdVendor Advisory

News mentions

Why Malwarebytes blocks some Yahoo Mail redirects
Malwarebytes Labs · May 14, 2026
Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
BleepingComputer · May 2, 2026
Recovery scammers hit you when you’re down: Here’s how to avoid a second strike
ESET WeLiveSecurity · Apr 10, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000