CVE-2026-35391: CWE-348: Use of Less Trusted Source in bulwarkmail webmail
CVE-2026-35391 affects Bulwark Webmail versions prior to 1. 4. 11. The vulnerability arises because the getClientIP() function trusts the first entry in the X-Forwarded-For header, which can be manipulated by an attacker. This allows an attacker to forge their source IP address, potentially bypassing IP-based rate limiting and enabling brute-force attacks on the admin login. Additionally, attackers can forge audit log entries to misattribute malicious activity to arbitrary IP addresses. The issue is fixed in version 1. 4. 11.
AI Analysis
Technical Summary
Bulwark Webmail before version 1.4.11 contains a vulnerability (CWE-348) in the getClientIP() function located in lib/admin/session.ts. This function incorrectly trusts the first (leftmost) IP address in the X-Forwarded-For HTTP header, which is fully controllable by the client. Because of this, an attacker can spoof their IP address to bypass IP-based rate limiting mechanisms designed to protect the admin login from brute-force attacks. Furthermore, the attacker can manipulate audit logs to make malicious actions appear as if they originated from arbitrary IP addresses. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity. The vulnerability is resolved in Bulwark Webmail version 1.4.11.
Potential Impact
An attacker can bypass IP-based rate limiting protections on the admin login by forging the X-Forwarded-For header, enabling brute-force password attacks. Additionally, audit logs can be falsified to misattribute malicious activity to arbitrary IP addresses, potentially hindering incident response and forensic investigations. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where this vulnerability is fixed. Since this is a self-hosted product, administrators must apply the update themselves. Patch status is confirmed fixed in version 1.4.11. No other mitigations are indicated by the vendor advisory.
CVE-2026-35391: CWE-348: Use of Less Trusted Source in bulwarkmail webmail
Description
CVE-2026-35391 affects Bulwark Webmail versions prior to 1. 4. 11. The vulnerability arises because the getClientIP() function trusts the first entry in the X-Forwarded-For header, which can be manipulated by an attacker. This allows an attacker to forge their source IP address, potentially bypassing IP-based rate limiting and enabling brute-force attacks on the admin login. Additionally, attackers can forge audit log entries to misattribute malicious activity to arbitrary IP addresses. The issue is fixed in version 1. 4. 11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Bulwark Webmail before version 1.4.11 contains a vulnerability (CWE-348) in the getClientIP() function located in lib/admin/session.ts. This function incorrectly trusts the first (leftmost) IP address in the X-Forwarded-For HTTP header, which is fully controllable by the client. Because of this, an attacker can spoof their IP address to bypass IP-based rate limiting mechanisms designed to protect the admin login from brute-force attacks. Furthermore, the attacker can manipulate audit logs to make malicious actions appear as if they originated from arbitrary IP addresses. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity. The vulnerability is resolved in Bulwark Webmail version 1.4.11.
Potential Impact
An attacker can bypass IP-based rate limiting protections on the admin login by forging the X-Forwarded-For header, enabling brute-force password attacks. Additionally, audit logs can be falsified to misattribute malicious activity to arbitrary IP addresses, potentially hindering incident response and forensic investigations. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Bulwark Webmail to version 1.4.11 or later, where this vulnerability is fixed. Since this is a self-hosted product, administrators must apply the update themselves. Patch status is confirmed fixed in version 1.4.11. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T17:03:42.074Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d417e60a160ebd92da7f8b
Added to database: 4/6/2026, 8:30:30 PM
Last enriched: 4/6/2026, 8:45:32 PM
Last updated: 4/6/2026, 10:47:26 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.