CVE-2026-35391
Published: 06 April 2026
Summary
CVE-2026-35391 is a high-severity Use of Less Trusted Source (CWE-348) vulnerability in Bulwarkmail Webmail. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring validation of client-controlled X-Forwarded-For headers to prevent IP spoofing for rate limiting and audit logging.
Remediates the specific flaw in the getClientIP() function by identifying, reporting, and patching to version 1.4.11 or later.
Enforces boundary protection at network interfaces to validate or strip untrusted X-Forwarded-For headers via proxy configurations, ensuring accurate client IP determination.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows client-controlled X-Forwarded-For spoofing to evade IP rate limiting, directly facilitating brute force attacks on admin login (T1110); also enables falsifying audit log entries to obscure attacker origin, facilitating indicator removal (T1070).
NVD Description
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…
more
source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.
Deeper analysisAI
CVE-2026-35391 affects Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, in versions prior to 1.4.11. The vulnerability resides in the getClientIP() function within lib/admin/session.ts, which naively trusts the first (leftmost) entry of the X-Forwarded-For HTTP header—a value fully controlled by the client. This flaw, classified under CWE-348 (Use of Less Trusted Source), enables IP address spoofing and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. By forging the X-Forwarded-For header, they can spoof their source IP address to evade IP-based rate limiting, facilitating brute-force attacks against the admin login interface. Additionally, attackers can manipulate audit log entries to make malicious activities appear to originate from arbitrary IP addresses, potentially complicating incident response and attribution.
The GitHub Security Advisory (GHSA-7pj2-232x-6698) confirms the issue is resolved in Bulwark Webmail version 1.4.11, which presumably implements proper IP extraction logic that does not rely on client-controlled headers. Security practitioners should upgrade to 1.4.11 or later and review proxy configurations to ensure trusted proxies correctly forward real client IPs while validating or stripping untrusted X-Forwarded-For values.
Details
- CWE(s)