Cyber Resilience

CVE-2026-34834

High

Published: 02 April 2026

Published
02 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34834 is a high-severity Improper Authentication (CWE-287) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-34834 is an improper authentication vulnerability (CWE-287) in Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. In versions prior to 1.4.10, the verifyIdentity() function incorrectly returns true when no session cookies are present, allowing attackers to bypass security checks. This flaw enables unauthorized access and modification of user settings through the /api/settings endpoint by supplying arbitrary headers.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Successful exploitation grants the ability to read and alter user settings without valid credentials, potentially leading to account takeover or configuration manipulation.

The vulnerability has been patched in Bulwark Webmail version 1.4.10. Security practitioners should upgrade to this version immediately. Additional details are available in the release notes at https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 and the GitHub security advisory at https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user…

more

settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an authentication bypass vulnerability in a public-facing web application (Bulwark Webmail) that allows unauthenticated remote attackers to access and modify settings via an API endpoint, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34833Same product: Bulwarkmail Webmail
CVE-2026-35389Same product: Bulwarkmail Webmail
CVE-2026-35391Same product: Bulwarkmail Webmail
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287

Affected Assets

bulwarkmail
webmail
≤ 1.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verification of session authenticity using identifiers like cookies, directly countering the verifyIdentity() flaw that returned true without session cookies.

prevent

Enforces approved authorizations for access to resources like the /api/settings endpoint, preventing unauthorized modifications due to authentication bypass.

prevent

Mandates proper identification and authentication of users before granting access to protected functions, addressing the improper authentication logic in verifyIdentity().

References