Skip to main content

Formie CVE-2026-47266

| EUVDEUVD-2026-33422 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-29 GitHub_M GHSA-pgxq-p76c-x9cg
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 29, 2026 - 21:51 vuln.today
Analysis Generated
May 29, 2026 - 21:51 vuln.today
Patch available
May 29, 2026 - 21:02 EUVD
CVSS changed
May 29, 2026 - 20:22 NVD
8.7 (HIGH)
CVE Published
May 29, 2026 - 19:03 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

AnalysisAI

Unauthorized submission modification in Formie (Craft CMS plugin) versions prior to 2.2.21 and 3.1.26 allows remote unauthenticated attackers to overwrite existing form submissions by POSTing a known or guessed submission ID to the formie/submissions/save-submission endpoint. The flaw is an authorization bypass (CWE-639) that compromises integrity of stored submission data without requiring credentials. No public exploit identified at time of analysis, though the upstream fix and advisory are publicly disclosed on GitHub.

Technical ContextAI

Formie is a forms-building plugin for Craft CMS developed by Verbb (CPE cpe:2.3:a:verbb:formie). The vulnerable code path is the save-submission controller action, which accepted a submission ID from the request body and updated the corresponding record without verifying that the requester owned, created, or was authorized to modify that submission - a textbook CWE-639 Authorization Bypass Through User-Controlled Key (IDOR). Because submission IDs are typically sequential integers, an attacker can enumerate or guess valid IDs trivially. The upstream patch introduces a new submissionEditToken mechanism (per the 2.2.21 release notes) that binds edit requests to a cryptographically derived token rather than relying solely on the predictable submission ID.

RemediationAI

Vendor-released patches are available: upgrade to Formie 2.2.21 for the 2.x branch or 3.1.26 for the 3.x branch, both published on the verbb/formie GitHub releases page (https://github.com/verbb/formie/releases/tag/2.2.21 and https://github.com/verbb/formie/releases/tag/3.1.26), with full advisory context at https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg. The 2.2.21 release adds a submissionEditToken to tighten authorization on edit requests, which is the structural fix and cannot be reliably replicated via configuration alone. As a temporary compensating control until patching, restrict access to the /formie/submissions/save-submission route at the web server or reverse proxy layer (for example via nginx or Apache location rules) to authenticated sessions or trusted IP ranges - note this will break legitimate end-user submission editing flows where they exist, so it is suitable only for sites that do not rely on user-facing submission edits. Sites should also audit recent submission records for unexpected modifications, since exploitation leaves no authentication trail.

Share

CVE-2026-47266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy