Platform
nodejs
Component
bulwarkmail/webmail
Fixed in
1.4.12
CVE-2026-35391 affects Bulwark Webmail versions 1.4.0 through 1.4.10. This vulnerability stems from the improper handling of the X-Forwarded-For header, allowing attackers to manipulate the perceived source IP address. Exploitation can lead to brute-force attacks against the admin login and the falsification of audit log entries, potentially masking malicious activity. The vulnerability is resolved in version 1.4.11.
The core of this vulnerability lies in the getClientIP() function within Bulwark Webmail's admin session management. This function incorrectly trusts the leftmost entry of the X-Forwarded-For header, a field that is entirely controlled by the client. An attacker can craft a malicious HTTP request with a forged X-Forwarded-For header, effectively impersonating any IP address they choose. This allows them to bypass IP-based rate limiting mechanisms, enabling repeated attempts to brute-force the administrator login. Furthermore, the forged IP address can be recorded in audit logs, creating a false trail and obscuring the true origin of malicious actions. The blast radius extends to the integrity of the webmail server's audit trails and the security of the administrative interface.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The potential for exploitation remains, particularly in environments with legacy configurations or inadequate security controls.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35391 is to immediately upgrade Bulwark Webmail to version 1.4.11 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to sanitize the X-Forwarded-For header. Specifically, the WAF should be configured to reject requests with excessively long or suspicious X-Forwarded-For headers. Additionally, review and strengthen the rate limiting policies for the admin login, potentially implementing multi-factor authentication to further reduce the risk of brute-force attacks. After upgrading, verify the fix by attempting to send a request with a forged X-Forwarded-For header and confirming that the server correctly rejects it or logs the attempted manipulation.
Update to version 1.4.11 or later to fix the vulnerability. This update corrects how the X-Forwarded-For header is handled, preventing attackers from forging IP addresses and bypassing rate limits.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35391 is a vulnerability in Bulwark Webmail versions 1.4.0 through 1.4.10 that allows attackers to forge their IP address by manipulating the X-Forwarded-For header, bypassing rate limiting and potentially falsifying audit logs.
You are affected if you are running Bulwark Webmail version 1.4.0 through 1.4.10 and have not yet upgraded to version 1.4.11.
The recommended fix is to upgrade to Bulwark Webmail version 1.4.11 or later. As a temporary workaround, implement a WAF rule to sanitize the X-Forwarded-For header.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-35391, but the potential for exploitation remains.
Please refer to the official Bulwark Webmail documentation and security advisories for the most up-to-date information regarding CVE-2026-35391.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.