Open Forms
CVE-2026-28803
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.
AnalysisAI
Open Forms versions prior to 3.3.13 and 3.4.5 allow authenticated attackers to access arbitrary form submissions through submission reference enumeration or manipulation in the cosigning workflow. An attacker with valid credentials can guess or modify cosigner codes to retrieve submissions they should not have access to, resulting in unauthorized information disclosure.
Technical ContextAI
This vulnerability (CWE-284: Improper Access Control) affects Open Forms allows users create and publish smart forms.. Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3
RemediationAI
Fixed in version 3.3.13. Restrict network access to the affected service where possible.
More in Open Forms
View allOpen Forms is an application for creating and publishing smart forms. Rated medium severity (CVSS 6.5), this vulnerabili
Open Forms is an application for creating and publishing smart forms. Rated medium severity (CVSS 6.1), this vulnerabili
Open Forms allows users create and publish smart forms. Rated medium severity (CVSS 5.9), this vulnerability is remotely
Open Forms allows users create and publish smart forms. Rated medium severity (CVSS 4.3), this vulnerability is remotely
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today