CVE-2026-35391

Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

INFO

Published Date :

2026-04-06T20:17:39.793Z

Last Modified :

2026-04-06T20:17:39.793Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35391 vulnerability.

Vendors	Products
Bulwarkmail	Webmail

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35391.

URL	Resource
https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability