Cyber Resilience

CVE-2026-35389

High

Published: 06 April 2026

Published
06 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35389 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Phishing (T1566); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35389 is a vulnerability in Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, affecting versions prior to 1.4.11. The issue stems from the S/MIME signature verification process, which fails to validate the certificate trust chain because the checkChain parameter is set to false. Consequently, emails signed with self-signed or untrusted certificates are incorrectly displayed as having valid signatures, undermining the reliability of signature verification. This flaw is classified under CWE-295 (Improper Certificate Validation) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By sending emails signed with self-signed or otherwise untrusted certificates, attackers can trick the webmail client into presenting these signatures as valid. This enables integrity attacks where recipients are misled into believing the email's authenticity and origin, potentially facilitating phishing, spoofing, or the distribution of malicious content under the guise of trusted communications.

The vulnerability is addressed in Bulwark Webmail version 1.4.11, which enables proper certificate trust chain validation. Additional details on the issue and mitigation are available in the GitHub Security Advisory at https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256. Security practitioners should ensure affected deployments are updated promptly to prevent exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a…

more

valid signature. This vulnerability is fixed in 1.4.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566 Phishing Initial Access
Adversaries may send phishing messages to gain access to victim systems.
T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

Vulnerability bypasses S/MIME certificate chain validation, allowing spoofed emails with self-signed certs to appear valid; directly enables email spoofing (T1672) and facilitates phishing by misleading recipients on authenticity and origin of malicious content (T1566).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35391Same product: Bulwarkmail Webmail
CVE-2026-34833Same product: Bulwarkmail Webmail
CVE-2026-34834Same product: Bulwarkmail Webmail
CVE-2026-7821Shared CWE-295
CVE-2026-33810Shared CWE-295
CVE-2026-42012Shared CWE-295
CVE-2025-0500Shared CWE-295
CVE-2024-11621Shared CWE-295
CVE-2026-21228Shared CWE-295
CVE-2026-8992Shared CWE-295

Affected Assets

bulwarkmail
webmail
≤ 1.4.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the improper certificate validation in Bulwark Webmail by applying the patch to version 1.4.11 that enables trust chain checking.

prevent

Requires establishment and validation of public key infrastructure certificates, directly mitigating the failure to verify S/MIME certificate trust chains.

prevent

Mandates integrity verification mechanisms for information such as email content, preventing the webmail client from accepting signatures with untrusted or self-signed certificates.

References