CVE-2026-34833

EUVD-2026-18530
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
bulwarkmailwebmail
𝑥
< 1.4.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bulwarkmail/webmail/releases/tag/1.4.10
https://github.com/bulwarkmail/webmail/security/advisories/GHSA-47pm-883h-885r