Bulwark Webmail Authentication Bypass Vulnerability in verifyIdentity() Function
Vulnerability
An authentication bypass vulnerability has been identified in Bulwark Webmail versions prior to 1.4.10. The issue arises in the verifyIdentity() function, which incorrectly returns true when no session cookies are present. This flaw allows unauthenticated attackers to bypass security checks and access or modify user settings through the /api/settings endpoint by sending arbitrary headers. The vulnerability has been patched in version 1.4.10, which removes the faulty logic and ensures that the function correctly returns false when no valid session is available.
Impact
Exploitation of this vulnerability allows for unauthorized access to user settings, which can be viewed or modified by the attacker.
Remediation
Users are strongly advised to upgrade to Bulwark Webmail version 1.4.10. Instructions for downloading the latest version are available on the Bulwark Webmail GitHub Releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.