CVE-2026-34834

High

Published: 02 April 2026

Published

02 April 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0013 31.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34834 is a high-severity Improper Authentication (CWE-287) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Requires verification of session authenticity using identifiers like cookies, directly countering the verifyIdentity() flaw that returned true without session cookies.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to resources like the /api/settings endpoint, preventing unauthorized modifications due to authentication bypass.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates proper identification and authentication of users before granting access to protected functions, addressing the improper authentication logic in verifyIdentity().

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes an authentication bypass vulnerability in a public-facing web application (Bulwark Webmail) that allows unauthenticated remote attackers to access and modify settings via an API endpoint, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user…

settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

Deeper analysisAI

CVE-2026-34834 is an improper authentication vulnerability (CWE-287) in Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. In versions prior to 1.4.10, the verifyIdentity() function incorrectly returns true when no session cookies are present, allowing attackers to bypass security checks. This flaw enables unauthorized access and modification of user settings through the /api/settings endpoint by supplying arbitrary headers.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Successful exploitation grants the ability to read and alter user settings without valid credentials, potentially leading to account takeover or configuration manipulation.

The vulnerability has been patched in Bulwark Webmail version 1.4.10. Security practitioners should upgrade to this version immediately. Additional details are available in the release notes at https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 and the GitHub security advisory at https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh.