CVE-2026-35389

Bulwark Webmail S/MIME signature verification accepted self-signed certificates

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

INFO

Published Date :

2026-04-06T20:11:56.827Z

Last Modified :

2026-04-06T20:13:14.975Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35389 vulnerability.

Vendors	Products
Bulwarkmail	Webmail

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35389.

URL	Resource
https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability