CVE-2026-35389

Published April 6th, 2026

View on NVD ↗

CVSS v3

7.5

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

bulwarkmail/webmail

JMAP Webmail built for the 21st Century. A modern, self-hosted email client for Stalwart Mail Server powered by the JMAP protocol. Email, calendar, contacts and files. Fast, private, and open source.

GitHub

598