{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28803", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.246Z", "datePublished": "2026-03-11T15:52:08.464Z", "dateUpdated": "2026-03-11T17:30:48.578Z"}, "containers": {"cna": {"title": "Open Forms possible to view submission details of other people than intended", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5"}], "affected": [{"vendor": "open-formulieren", "product": "open-forms", "versions": [{"version": ">= 3.4.0-alpha.0, < 3.4.5", "status": "affected"}, {"version": "< 3.3.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:52:08.464Z"}, "descriptions": [{"lang": "en", "value": "Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5."}], "source": {"advisory": "GHSA-2g49-rfm6-5qj5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:30:34.864496Z", "id": "CVE-2026-28803", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:30:48.578Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28803", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T17:30:34.864496Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:30:38.574Z"}}], "cna": {"title": "Open Forms possible to view submission details of other people than intended", "source": {"advisory": "GHSA-2g49-rfm6-5qj5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "open-formulieren", "product": "open-forms", "versions": [{"status": "affected", "version": ">= 3.4.0-alpha.0, < 3.4.5"}, {"status": "affected", "version": "< 3.3.13"}]}], "references": [{"url": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5", "name": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T15:52:08.464Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28803", "state": "PUBLISHED", "dateUpdated": "2026-03-11T17:30:48.578Z", "dateReserved": "2026-03-03T14:25:19.246Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T15:52:08.464Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "19C86DE6-DC79-4B71-89AD-3A43741BE51D", "versionEndExcluding": "3.3.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFE1882C-1659-4E5A-B21A-D08B09DA32B8", "versionEndExcluding": "3.4.5", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5."}, {"lang": "es", "value": "Open Forms permite a los usuarios crear y publicar formularios inteligentes. Antes de 3.3.13 y 3.4.5, para poder cosignar, el cosignatario recibe un correo electr\u00f3nico con instrucciones o un enlace profundo para iniciar el flujo de cosignatura. La referencia de la presentaci\u00f3n se comunica para que el usuario pueda recuperar la presentaci\u00f3n a ser cosignada. Los atacantes pueden adivinar un c\u00f3digo o modificar el c\u00f3digo recibido para buscar presentaciones arbitrarias, despu\u00e9s de iniciar sesi\u00f3n (con DigiD/eHerkenning/... dependiendo de la configuraci\u00f3n del formulario). Esta vulnerabilidad est\u00e1 corregida en 3.3.13 y 3.4.5."}], "id": "CVE-2026-28803", "lastModified": "2026-03-17T19:19:19.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T16:16:40.630", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0-alpha.0,3.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "open-forms", "source": "cna", "vendor": "open-formulieren"}, "product": "open-forms", "vendor": "open-formulieren"}], "analysis": {"en": {"generated_at": "2026-03-17T20:45:12.785606+00:00", "value": {"mitigation_remediation": ["Upgrade Open Forms to version 3.3.13 or 3.4.5 (or later) to apply the fix."], "summary": {"action": "Patch", "impact": "Unauthorized Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Open Forms from maykinmedia. All releases prior to 3.3.13 for the 3.3.x line and prior to 3.4.5 for the 3.4.x line are vulnerable. Versions 3.3.13 and 3.4.5, and any later releases, contain the fix.", "description_and_impact": "Open Forms, a platform that enables the creation and publication of smart forms, contains an access control flaw that allows a logged\u2011in user to view submission details that were not intended for them. The flaw is triggered when the cosigner receives an email or deep\u2011link containing a submission reference; an attacker can guess or alter this reference to retrieve arbitrary submissions. The vulnerability is classified as CWE\u2011284: Improper Access Control, indicating that legitimate users are able to bypass intended access restrictions.", "risk_and_exploitability": "The CVSS score of 6.5 places the vulnerability in the moderate severity range; however, the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack requires a legitimate authenticated session, after which an attacker can guess a submission reference or tamper with the cosign link to gain unauthorized access to other users\u2019 submission data. No publicly known exploit is available at this time, but the entry is remediated by updating the product to the patched versions."}}}}, "created": "2026-03-12T10:05:36.456031+00:00", "updated": "2026-03-20T15:30:52.138899+00:00", "vendors": ["open-formulieren", "open-formulieren$PRODUCT$open-forms"]}