docuForm Client CVE-2026-51923
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Authenticated low-privilege network IDOR (PR:L, AV:N, AC:L) giving cross-user read/modify so C:H/I:H; availability set N and RCE treated as unverified, matching described data impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with other users’ accounts.
AnalysisAI
Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold valid low-privilege authentication to the docuForm Client (CVSS PR:L), reach it over the network (AV:N), and interact with the user settings component, supplying another user's object/account identifier; no victim user interaction is required (UI:N) and complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any low-privilege docuForm Client account authenticates, then intercepts a user-settings request and swaps the object/user identifier to that of a higher-value account, retrieving or altering that victim's settings and sensitive data. If a settings field is server-side evaluated, the same tampering could be leveraged toward code execution as claimed by the reporter. … |
| Remediation | No vendor-released patch version was identified at time of analysis, so no exact fix build can be cited from the input data - contact docuForm GmbH (https://docuform.de) for a fixed release and monitor the researcher references (https://ZeroBreach.de and https://gist.github.com/ZeroBreach-GmbH) for technical detail. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all docuForm GmbH Client v11.11c instances; confirm running version; determine network exposure (internal vs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today