CVE-2026-35389
Bulwark Webmail S/MIME signature verification accepted self-signed certificates
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
6th
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.
| CWE | CWE-295 |
| Vendor | bulwarkmail |
| Product | webmail |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for bulwarkmail webmail
Be the first to know when new unknown vulnerabilities affecting bulwarkmail webmail are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
bulwarkmail / webmail
< 1.4.11