Platform
php
Component
bulwarkmail
Fixed in
1.4.12
CVE-2026-35389 is a vulnerability affecting Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.11, the S/MIME signature verification process failed to validate the certificate trust chain, allowing emails signed with self-signed or untrusted certificates to be displayed as valid. This can lead to email spoofing and potential compromise of user trust. The vulnerability is resolved in version 1.4.11.
The primary impact of CVE-2026-35389 is the ability for an attacker to forge email signatures, making it appear as though a message originates from a trusted sender. This can be exploited to launch phishing attacks, spread malware, or manipulate recipients into taking actions they wouldn't otherwise take. Because Bulwark Webmail is a self-hosted solution, organizations are responsible for securing their own instances, making them particularly vulnerable if they haven't implemented proper certificate validation. The potential blast radius extends to all users of the affected webmail system, as any user could be targeted with a spoofed email.
CVE-2026-35389 was publicly disclosed on 2026-04-06. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-35389 is to immediately upgrade Bulwark Webmail to version 1.4.11 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing stricter email filtering rules to flag emails with self-signed or untrusted certificates. While not a complete solution, this can provide an additional layer of defense. Additionally, educate users to be wary of emails with unexpected signatures or from unfamiliar senders. After upgrading, verify the fix by sending a test email signed with a self-signed certificate and confirming that it is correctly flagged as invalid within the webmail client.
Update Bulwark Webmail to version 1.4.11 or later to fix the vulnerability. This version correctly validates the S/MIME certificate trust chain, preventing email signatures with self-signed or untrusted certificates from being considered valid.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35389 is a vulnerability in Bulwark Webmail versions 1.4.0 through 1.4.10 where S/MIME signature verification fails to validate the certificate trust chain, allowing spoofed emails to appear valid.
You are affected if you are using Bulwark Webmail versions 1.4.0 through 1.4.10. Upgrade to version 1.4.11 to mitigate the risk.
The fix is to upgrade Bulwark Webmail to version 1.4.11 or later. If immediate upgrade is not possible, implement stricter email filtering rules.
As of the current disclosure date, there are no known active exploits for CVE-2026-35389.
Refer to the official Stalwart Mail Server website or Bulwark Webmail documentation for the advisory related to CVE-2026-35389.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.