Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, contained a critical authentication bypass vulnerability identified as CVE-2026-34834. The root cause lies in the verifyIdentity() function, which erroneously returns true if no session cookies are detected. This logic flaw means that unauthenticated attackers can circumvent normal authentication checks. By exploiting this, attackers can send crafted requests with arbitrary headers to the /api/settings endpoint, gaining unauthorized access to user settings and potentially modifying them. This vulnerability affects all versions prior to 1.4.10 and does not require any privileges or user interaction, making it highly exploitable remotely over the network. The vulnerability is classified under CWE-287 (Improper Authentication) and has a CVSS 4.0 base score of 8.7, indicating high severity due to its ease of exploitation and impact on confidentiality and integrity. The vendor has addressed this issue in version 1.4.10 by correcting the authentication logic to properly verify session cookies before granting access.

The vulnerability allows unauthenticated attackers to bypass authentication controls and access or modify user settings within the Bulwark Webmail client. This can lead to unauthorized disclosure of sensitive configuration data, alteration of user preferences, or potentially further compromise of the mail server environment if settings affect security controls or mail routing. Organizations relying on Bulwark Webmail for email services face risks of account takeover, data leakage, and disruption of mail services. Since the flaw requires no authentication or user interaction and is exploitable remotely, the attack surface is broad. Exploitation could undermine trust in organizational communications and lead to downstream attacks such as phishing or lateral movement within networks. Although no known exploits are reported in the wild yet, the high severity and straightforward exploitation make it a critical risk that demands immediate remediation.

The primary mitigation is to upgrade Bulwark Webmail to version 1.4.10 or later, where the authentication bypass has been fixed. Until the upgrade can be applied, organizations should restrict network access to the webmail interface to trusted IPs or VPN users to reduce exposure. Implementing Web Application Firewall (WAF) rules to detect and block anomalous requests to the /api/settings endpoint may provide temporary protection. Monitoring logs for unusual access patterns or unauthorized changes to user settings can help detect exploitation attempts. Additionally, enforcing strong authentication and session management policies on the mail server and related infrastructure can limit the impact of any unauthorized access. Regular vulnerability scanning and penetration testing should be conducted to verify that the patch is applied and no residual weaknesses remain.