CVE-2026-28803

EPSS 0.2%
Veröffentlicht 11.03.2026 16:16:40
Zuletzt bearbeitet 17.03.2026 19:19:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Open Forms possible to view submission details of other people than intended

Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Maykinmedia ≫ Open Forms Version < 3.3.13

Maykinmedia ≫ Open Forms Version >= 3.4.0 < 3.4.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.099

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-28803

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28803

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28803

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28803