{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35391", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-06T20:17:39.793Z", "dateUpdated": "2026-04-07T15:09:49.591Z"}, "containers": {"cna": {"title": "Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery", "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "lang": "en", "description": "CWE-348: Use of Less Trusted Source", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698"}], "affected": [{"vendor": "bulwarkmail", "product": "webmail", "versions": [{"version": "< 1.4.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:17:39.793Z"}, "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11."}], "source": {"advisory": "GHSA-7pj2-232x-6698", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:55:27.841694Z", "id": "CVE-2026-35391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:09:49.591Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11."}], "id": "CVE-2026-35391", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:20.867", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webmail", "source": "cna", "vendor": "bulwarkmail"}, "product": "webmail", "vendor": "bulwarkmail"}], "analysis": {"en": {"generated_at": "2026-04-07T02:04:36.484737+00:00", "value": {"mitigation_remediation": ["Upgrade Bulwark Webmail to version 1.4.11 or later.", "Verify that getClientIP() no longer trusts client-supplied X-Forwarded-For headers.", "Ensure reverse proxies strip or limit X-Forwarded-For headers before reaching the application.", "Monitor administrative login attempts and audit logs for abnormal activity."], "summary": {"action": "Immediate Patch", "impact": "Rate-limit bypass"}, "threat_synthesis": {"affected_systems": "Bulwark Mail Server's self\u2011hosted webmail client, Bulwark Webmail, is affected. The vulnerability exists in all releases prior to version 1.4.11. Users running Bulwark Webmail before that update are at risk.", "description_and_impact": "The vulnerability resides in Bulwark Webmail's getClientIP() function, which incorrectly trusts the leftmost entry of the X\u2011Forwarded\u2011For header supplied by the client. Because that header is fully under the attacker's control, it can be manipulated to masquerade as any IP address. This permits bypassing IP\u2011based rate limits that protect the administrative login, enabling brute\u2011force attempts, and also allows forging entries in audit logs so that malicious activity appears to originate from an arbitrary IP. The weakness falls under a trust boundary error (CWE\u2011348).", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity. Although the EPSS score is not available, the flaw can be exploited by any client who can reach the web application, without authentication, by sending a crafted request containing a forged X\u2011Forwarded\u2011For header. Because the header is normally processed by gateways or proxies, the attack vector is typically an externally reachable web server. The vulnerability is not listed in CISA\u2019s KEV catalog, but its impact on authentication and audit integrity makes it a serious threat to exposed deployments."}}}}, "created": "2026-04-07T06:54:12.830426+00:00", "updated": "2026-04-07T09:37:13.723655+00:00", "vendors": ["bulwarkmail", "bulwarkmail$PRODUCT$webmail"]}