{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35389", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:11:56.827Z", "dateUpdated": "2026-04-07T16:19:51.168Z"}, "containers": {"cna": {"title": "Bulwark Webmail S/MIME signature verification accepted self-signed certificates", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256"}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"version": "< 1.4.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:13:14.975Z"}, "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11."}], "source": {"advisory": "GHSA-v6w6-338p-p256", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:19:43.461171Z", "id": "CVE-2026-35389", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:19:51.168Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11."}], "id": "CVE-2026-35389", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:20.580", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webmail", "source": "cna", "vendor": "bulwarkmail"}, "product": "webmail", "vendor": "bulwarkmail"}], "analysis": {"en": {"generated_at": "2026-04-07T02:05:15.120558+00:00", "value": {"mitigation_remediation": ["Upgrade Bulwark Webmail to version 1.4.11 or newer."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is Bulwark Webmail, a self\u2011hosted client for the Stalwart Mail Server. Versions prior to 1.4.11 are vulnerable, meaning any installation running 1.4.10 or earlier will accept untrusted signatures.", "description_and_impact": "Bulwark Webmail accepted S/MIME signatures that used self\u2011signed or otherwise untrusted certificates because the signature verification process did not validate the certificate trust chain. This allows an attacker to sign a message with a certificate that the system will treat as trusted, giving the appearance of a legitimate signed email while enabling forging of otherwise authenticated messages. The weakness is recognized as improper certificate validation, which can be exploited to compromise the perceived integrity of email communications.", "risk_and_exploitability": "A CVSS score of 8.7 indicates high severity. No EPSS score is available, but the lack of trust chain validation suggests the flaw can be readily exploited by a remote attacker sending crafted messages. The vulnerability is not yet listed in the CISA KEV catalog, but its nature and severity make it a priority for patching. A likely attack vector is the injection of malicious signed emails, either unsolicited phishing attempts or legitimate-looking internal communications."}}}}, "created": "2026-04-07T06:54:14.819284+00:00", "updated": "2026-04-07T09:37:16.010357+00:00", "vendors": ["bulwarkmail", "bulwarkmail$PRODUCT$webmail"]}