Nixpkgs security tracker

Untriaged

Permalink CVE-2026-34834

created 2 weeks, 1 day ago

Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings via the /api/settings endpoint by providing arbitrary headers. This issue has been patched in version 1.4.10.

References

https://github.com/bulwarkmail/webmail/security/advisories/GHSA-4356-876g-rfmh x_refsource_CONFIRM
https://github.com/bulwarkmail/webmail/releases/tag/1.4.10 x_refsource_MISC

Affected products

webmail

==< 1.4.10

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers