CVE-2026-35389: CWE-295: Improper Certificate Validation in bulwarkmail webmail
CVE-2026-35389 is a high-severity vulnerability in Bulwark Webmail versions prior to 1. 4. 11 where S/MIME signature verification did not properly validate the certificate trust chain. This flaw caused emails signed with self-signed or untrusted certificates to be incorrectly shown as having valid signatures. The issue is fixed in version 1. 4. 11.
AI Analysis
Technical Summary
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had an improper certificate validation vulnerability (CWE-295) affecting S/MIME signature verification before version 1.4.11. Specifically, the software did not check the certificate trust chain (checkChain was set to false), allowing emails signed with untrusted or self-signed certificates to appear as validly signed. This vulnerability was assigned CVE-2026-35389 with a CVSS 4.0 base score of 8.7, indicating high severity. The vulnerability was addressed and fixed in Bulwark Webmail version 1.4.11.
Potential Impact
The vulnerability allows an attacker to craft emails signed with self-signed or untrusted certificates that are incorrectly displayed as having valid signatures by the affected Bulwark Webmail clients. This could lead to users trusting malicious emails under false assurance of authenticity and integrity. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where the certificate trust chain validation for S/MIME signatures is correctly enforced. Since the vendor advisory indicates the issue is fixed in 1.4.11, applying this official fix fully mitigates the vulnerability. Patch status is confirmed by the vendor's versioning information.
CVE-2026-35389: CWE-295: Improper Certificate Validation in bulwarkmail webmail
Description
CVE-2026-35389 is a high-severity vulnerability in Bulwark Webmail versions prior to 1. 4. 11 where S/MIME signature verification did not properly validate the certificate trust chain. This flaw caused emails signed with self-signed or untrusted certificates to be incorrectly shown as having valid signatures. The issue is fixed in version 1. 4. 11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had an improper certificate validation vulnerability (CWE-295) affecting S/MIME signature verification before version 1.4.11. Specifically, the software did not check the certificate trust chain (checkChain was set to false), allowing emails signed with untrusted or self-signed certificates to appear as validly signed. This vulnerability was assigned CVE-2026-35389 with a CVSS 4.0 base score of 8.7, indicating high severity. The vulnerability was addressed and fixed in Bulwark Webmail version 1.4.11.
Potential Impact
The vulnerability allows an attacker to craft emails signed with self-signed or untrusted certificates that are incorrectly displayed as having valid signatures by the affected Bulwark Webmail clients. This could lead to users trusting malicious emails under false assurance of authenticity and integrity. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where the certificate trust chain validation for S/MIME signatures is correctly enforced. Since the vendor advisory indicates the issue is fixed in 1.4.11, applying this official fix fully mitigates the vulnerability. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T17:03:42.074Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d417e60a160ebd92da7f85
Added to database: 4/6/2026, 8:30:30 PM
Last enriched: 4/6/2026, 8:45:48 PM
Last updated: 4/6/2026, 10:38:37 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.