High-Severity Flaw in Bulwark Webmail Affects S/MIME Signature Verification

A high-severity vulnerability, CVE-2026-35389, has been identified in Bulwark Webmail, a self-hosted client for Stalwart Mail Server. This flaw allowed emails signed with untrusted S/MIME certificates to appear legitimate due to a failure in validating the certificate trust chain. The issue has since been rectified in version 1.4.11 of the software.

Context

CVE-2026-35389 is a high-severity flaw discovered in Bulwark Webmail, a self-hosted email client designed for Stalwart Mail Server. The vulnerability specifically affects the S/MIME signature verification process, which is crucial for ensuring the authenticity of signed emails. The flaw has been addressed in the latest software update, version 1.4.11.

Why it matters

The vulnerability in Bulwark Webmail poses significant risks to email security, potentially allowing malicious actors to exploit the flaw for phishing or other cyberattacks. By enabling untrusted S/MIME certificates to be recognized as legitimate, it undermines the integrity of secure communications. This issue highlights the ongoing challenges in maintaining robust security protocols in email systems.

Implications

Organizations using Bulwark Webmail may face increased risk of email-based attacks if they do not update their systems promptly. The incident could lead to a loss of trust in self-hosted email solutions if users feel their communications are not secure. It may also prompt developers to prioritize security in future updates and encourage users to adopt more stringent security practices.

What to watch

Users of Bulwark Webmail should update to version 1.4.11 to mitigate the risks associated with this vulnerability. Observers should monitor for any reports of exploitation attempts related to this flaw. Additionally, the broader community may see discussions on enhancing security measures for email systems to prevent similar vulnerabilities in the future.