プラットフォーム
other
コンポーネント
webmail
修正版
1.4.11
CVE-2026-34834 describes an authentication bypass vulnerability discovered in Bulwark Webmail, a self-hosted webmail client for Stalwark Mail Server. This flaw allows unauthenticated attackers to bypass security checks and potentially access or modify user settings. The vulnerability affects versions of Bulwark Webmail prior to 1.4.10, and a patch is available in version 1.4.10.
An attacker exploiting this vulnerability can bypass authentication and directly access the /api/settings endpoint. This allows them to modify user settings, potentially gaining control over user accounts or altering the webmail client's configuration. The impact extends to the confidentiality and integrity of user data and the overall security of the Stalwart Mail Server environment. While the vulnerability doesn't directly lead to remote code execution, the ability to modify user settings can be leveraged for further malicious activities, such as phishing or account takeover.
This vulnerability was publicly disclosed on 2026-04-02. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the authentication bypass nature, it's plausible that threat actors may attempt to exploit this vulnerability, particularly if they are targeting Stalwart Mail Server deployments.
Organizations using Stalwart Mail Server with Bulwark Webmail versions prior to 1.4.10 are at risk, particularly those with exposed webmail instances or those lacking robust network segmentation. Shared hosting environments where multiple users share the same Bulwark Webmail instance are also at increased risk.
disclosure
エクスプロイト状況
EPSS
0.09% (26% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-34834 is to immediately upgrade Bulwark Webmail to version 1.4.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the /api/settings endpoint to trusted IP addresses or implementing stricter authentication measures. Review web server access logs for suspicious activity related to the /api/settings endpoint. After upgrading, confirm the fix by attempting to access the /api/settings endpoint without valid authentication cookies; the request should be rejected.
Bulwark Webmailをバージョン1.4.10以降にアップデートしてください。このバージョンでは、verifyIdentity()関数における認証バイパスの脆弱性を修正するために、Cookie検証の欠如を修正しています。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34834 is a vulnerability in Bulwark Webmail versions prior to 1.4.10 that allows attackers to bypass authentication and access user settings.
You are affected if you are using Bulwark Webmail version 1.4.10 or earlier. Upgrade to 1.4.10 to mitigate the risk.
Upgrade Bulwark Webmail to version 1.4.10 or later. As a temporary workaround, restrict access to the /api/settings endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the Stalwart Mail Server security advisories for the official announcement and details regarding CVE-2026-34834.