CVE-2026-35389
Published: 06 April 2026
Summary
CVE-2026-35389 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Phishing (T1566); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the improper certificate validation in Bulwark Webmail by applying the patch to version 1.4.11 that enables trust chain checking.
Requires establishment and validation of public key infrastructure certificates, directly mitigating the failure to verify S/MIME certificate trust chains.
Mandates integrity verification mechanisms for information such as email content, preventing the webmail client from accepting signatures with untrusted or self-signed certificates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses S/MIME certificate chain validation, allowing spoofed emails with self-signed certs to appear valid; directly enables email spoofing (T1672) and facilitates phishing by misleading recipients on authenticity and origin of malicious content (T1566).
NVD Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a…
more
valid signature. This vulnerability is fixed in 1.4.11.
Deeper analysisAI
CVE-2026-35389 is a vulnerability in Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, affecting versions prior to 1.4.11. The issue stems from the S/MIME signature verification process, which fails to validate the certificate trust chain because the checkChain parameter is set to false. Consequently, emails signed with self-signed or untrusted certificates are incorrectly displayed as having valid signatures, undermining the reliability of signature verification. This flaw is classified under CWE-295 (Improper Certificate Validation) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By sending emails signed with self-signed or otherwise untrusted certificates, attackers can trick the webmail client into presenting these signatures as valid. This enables integrity attacks where recipients are misled into believing the email's authenticity and origin, potentially facilitating phishing, spoofing, or the distribution of malicious content under the guise of trusted communications.
The vulnerability is addressed in Bulwark Webmail version 1.4.11, which enables proper certificate trust chain validation. Additional details on the issue and mitigation are available in the GitHub Security Advisory at https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256. Security practitioners should ensure affected deployments are updated promptly to prevent exploitation.
Details
- CWE(s)