Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated bypass (AV:N, PR:N) with no interaction needed; impact limited to low integrity and availability writes, no confidentiality breach, scope unchanged.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.
AnalysisAI
Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the CVSS 4.0 vector specifies PR:N and UI:N, confirming unauthenticated remote exploitation against the link survey handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N yields a score of 6.9 (Medium), reflecting trivially accessible network exploitation with no prerequisites, but constrained by low integrity (VI:L) and low availability (VA:L) impacts and zero confidentiality impact (VC:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a Formbricks 5.0.0 instance with publicly accessible link surveys and sends crafted HTTP requests directly to the survey link action handler endpoint, bypassing the intended access control checks in actions.ts. By manipulating request parameters, the attacker performs unauthorized operations on survey objects - such as submitting responses on behalf of others, altering survey state, or triggering availability-impacting actions - without possessing valid credentials or survey ownership. … |
| Remediation | Upgrade to Formbricks 5.1.0-rc.1, which contains patch commit af6023b5ac3b030ffcea24fac799f76f3e3512c6 addressing the access control flaw (GitHub PR: https://github.com/formbricks/formbricks/pull/8094; release tag: https://github.com/formbricks/formbricks/releases/tag/5.1.0-rc.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41803
GHSA-g57h-53rr-6677