CVE-2026-34833 PUBLISHED

Bulwark Webmail: Information Exposure: password returned in /api/auth/session

Assigner: GitHub_M
Reserved: 30.03.2026 Published: 02.04.2026 Updated: 03.04.2026

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor bulwarkmail
Product webmail
Versions
  • Version < 1.4.10 is affected

References

Problem Types

  • CWE-312: Cleartext Storage of Sensitive Information CWE