Skip to main content

Formbricks CVE-2026-14792

| EUVDEUVD-2026-41803 MEDIUM
Improper Access Control (CWE-284)
2026-07-06 VulDB GHSA-g57h-53rr-6677
6.9
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated bypass (AV:N, PR:N) with no interaction needed; impact limited to low integrity and availability writes, no confidentiality breach, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 04:54 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.

AnalysisAI

Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Formbricks 5.0.0 instance with public link survey
Delivery
Send crafted HTTP request to /survey/link actions endpoint
Exploit
Bypass access control check in actions.ts
Execution
Perform unauthorized survey data manipulation
Impact
Degrade survey integrity or availability

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS 4.0 vector specifies PR:N and UI:N, confirming unauthenticated remote exploitation against the link survey handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N yields a score of 6.9 (Medium), reflecting trivially accessible network exploitation with no prerequisites, but constrained by low integrity (VI:L) and low availability (VA:L) impacts and zero confidentiality impact (VC:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a Formbricks 5.0.0 instance with publicly accessible link surveys and sends crafted HTTP requests directly to the survey link action handler endpoint, bypassing the intended access control checks in actions.ts. By manipulating request parameters, the attacker performs unauthorized operations on survey objects - such as submitting responses on behalf of others, altering survey state, or triggering availability-impacting actions - without possessing valid credentials or survey ownership. …
Remediation Upgrade to Formbricks 5.1.0-rc.1, which contains patch commit af6023b5ac3b030ffcea24fac799f76f3e3512c6 addressing the access control flaw (GitHub PR: https://github.com/formbricks/formbricks/pull/8094; release tag: https://github.com/formbricks/formbricks/releases/tag/5.1.0-rc.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy