CVE-2026-34833
Published: 02 April 2026
Summary
CVE-2026-34833 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protecting authenticator content like plaintext passwords from unauthorized disclosure, directly preventing their inclusion in API session responses.
SI-15 requires filtering sensitive information such as passwords from system outputs, mitigating exposure in JSON API responses.
SC-8 enforces confidentiality and integrity of transmissions, reducing risk of password interception by network proxies or MITM attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing webmail API endpoint (/api/auth/session) directly enables remote exploitation of a public-facing application (T1190) to obtain plaintext credentials exposed in responses, mapping to unsecured credentials access (T1552).
NVD Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie.…
more
This issue has been patched in version 1.4.10.
Deeper analysisAI
CVE-2026-34833 affects Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, in versions prior to 1.4.10. The vulnerability resides in the GET /api/auth/session endpoint, which includes the user's plaintext password in the JSON response. This flaw, classified under CWE-312 (Cleartext Storage of Sensitive Information), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact due to exposure of credentials in browser logs, local caches, and network proxies.
Attackers can exploit this vulnerability remotely without authentication, privileges, or user interaction, as long as they can observe the API response. Potential exploitation includes capturing plaintext passwords via network interception (e.g., man-in-the-middle attacks on proxies), accessing browser developer tools or storage on compromised client devices, or reviewing logs in environments with shared access. Successful exploitation enables credential theft, potentially leading to unauthorized access to email accounts or further lateral movement within the mail server ecosystem.
The issue has been addressed in Bulwark Webmail version 1.4.10, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this patched version immediately and review logs for evidence of prior exposure. Relevant resources include the GitHub release page at https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 and the advisory at https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r.
Details
- CWE(s)