S/MIME Verification Flaw in Bulwark Webmail by Stalwart Mail Server
CVE-2026-35389

8.7HIGH

Key Information:

Vendor: Bulwarkmail
Status: Webmail
Vendor: CVE Published:; 6 April 2026

🔔 Create Bulwarkmail Vulnerability Alert

What is CVE-2026-35389?

Bulwark Webmail, a webmail client for Stalwart Mail Server, had a vulnerability that allowed S/MIME signatures from self-signed or untrusted certificates to be incorrectly validated. This flaw, present in versions prior to 1.4.11, failed to verify the certificate trust chain, potentially misleading users into believing that untrusted emails were secure. The issue was resolved in version 1.4.11, and users are encouraged to update to the latest version to ensure proper security.

Affected Version(s)

webmail < 1.4.11

References

https://github.com/bulwarkmail/webmail/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35389 Data

JSON