CVE-2026-28803

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-28803
Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*
cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*
History

17 Mar 2026, 19:19

Type Values Removed Values Added
References () https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5 - () https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5 - Mitigation, Vendor Advisory
CWE NVD-CWE-noinfo
Summary
  • (es) Open Forms permite a los usuarios crear y publicar formularios inteligentes. Antes de 3.3.13 y 3.4.5, para poder cosignar, el cosignatario recibe un correo electrónico con instrucciones o un enlace profundo para iniciar el flujo de cosignatura. La referencia de la presentación se comunica para que el usuario pueda recuperar la presentación a ser cosignada. Los atacantes pueden adivinar un código o modificar el código recibido para buscar presentaciones arbitrarias, después de iniciar sesión (con DigiD/eHerkenning/... dependiendo de la configuración del formulario). Esta vulnerabilidad está corregida en 3.3.13 y 3.4.5.
First Time Maykinmedia open Forms
Maykinmedia
CPE cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*

11 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-11 16:16

Updated : 2026-03-17 19:19

NVD link : CVE-2026-28803

Mitre link : CVE-2026-28803

CVE.ORG link : CVE-2026-28803

JSON object : View

Products Affected

maykinmedia

  • open_forms
CWE
CWE-284

Improper Access Control

NVD-CWE-noinfo