Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Addressed a potential insecure direct object reference (IDOR) vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially leading to forged signatures and compromising the integrity and authenticity of documents undergoing the signing process. The issue was caused by insufficient authorization validation on referenced resources during request processing.
AnalysisAI
Insecure direct object reference in Foxit eSign's signing invitation acceptance process allows authenticated attackers to forge document signatures by manipulating object identifiers. Attackers with low-level privileges can access high-sensitivity resources and modify signing workflows without proper authorization, potentially compromising document integrity and authenticity in electronic signature workflows. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, with no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
This vulnerability exploits an Insecure Direct Object Reference (IDOR) pattern classified under CWE-284 (Improper Access Control). IDOR occurs when applications expose direct references to internal implementation objects-such as database keys, file paths, or resource identifiers-without validating whether the requesting user is authorized to access the referenced resource. In Foxit eSign's case, the signing invitation acceptance workflow accepts user-supplied object identifiers (likely invitation tokens, document IDs, or signer identifiers) without sufficient server-side authorization checks. The affected product is Foxit eSign cloud service hosted at na1.foxitesign.foxit.com, a SaaS electronic signature platform. The authorization bypass occurs during request processing when the application validates object existence but fails to verify the authenticated user's ownership or permission to access that specific resource.
RemediationAI
Foxit released a fix deployed to the na1.foxitesign.foxit.com cloud service on 2026-03-26. As a SaaS platform, no customer action is required for patching-the fix is automatically applied server-side. Organizations should verify their eSign instance was updated by confirming the service build date or contacting Foxit support. Review audit logs from before 2026-03-26 for suspicious signing invitation acceptance patterns, specifically looking for users accepting invitations not originally sent to them or accessing documents outside their authorization scope. Implement compensating controls: enable multi-factor authentication for all eSign users to reduce account compromise risk (the primary attack prerequisite), configure signing workflows to require additional verification steps for high-value documents, and establish monitoring for anomalous signature activity patterns such as rapid acceptance of multiple invitations by single accounts. Note that MFA reduces but does not eliminate risk since the vulnerability affects authenticated sessions. For critical documents signed before the patch date, consider verification procedures to confirm signature authenticity. Detailed security bulletin available at https://www.foxit.com/support/security-bulletins.html.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17767