CVE-2026-34833 is a vulnerability classified under CWE-312 (Cleartext Storage of Sensitive Information) affecting Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint returned the user's plaintext password within the JSON response. This design flaw exposes sensitive credentials to multiple attack vectors including browser logs, local caches, and network proxies. Because the password is transmitted in cleartext and included in API responses, any entity with access to network traffic or local machine logs can capture user credentials without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality. The flaw was addressed in version 1.4.10 by removing the plaintext password from the API response, thus preventing exposure. While no known exploits have been reported in the wild, the vulnerability represents a significant risk to confidentiality and user account security in affected deployments.

The primary impact of CVE-2026-34833 is the compromise of user credentials through exposure of plaintext passwords in API responses. This can lead to unauthorized access to user email accounts, potentially allowing attackers to read sensitive communications, impersonate users, and escalate attacks within an organization. Since the password is exposed over the network and stored in browser caches and logs, attackers with network access or local machine access can easily harvest credentials. This undermines the confidentiality and integrity of user accounts and can facilitate further attacks such as phishing, lateral movement, or data exfiltration. Organizations relying on Bulwark Webmail for internal or external communications face increased risk of account compromise and data breaches if running affected versions. The vulnerability does not directly affect availability but can indirectly disrupt operations if accounts are compromised or trust is lost.

Organizations should immediately upgrade Bulwark Webmail to version 1.4.10 or later where the vulnerability is patched. In addition, administrators should audit existing logs and caches for exposed credentials and enforce password resets for affected users to mitigate potential compromise. Network traffic should be monitored for suspicious activity indicating credential harvesting attempts. Implementing strict transport layer security (TLS) and ensuring no sensitive data is logged or cached by browsers can reduce exposure. Deploying network segmentation and limiting access to the webmail server can also reduce attack surface. Finally, educating users about the risks of credential exposure and encouraging use of multi-factor authentication (MFA) where possible will help mitigate the impact of stolen credentials.