Description
Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Exposure
Action: Patch
AI Analysis

Impact

Open Forms, a platform that enables the creation and publication of smart forms, contains an access control flaw that allows a logged‑in user to view submission details that were not intended for them. The flaw is triggered when the cosigner receives an email or deep‑link containing a submission reference; an attacker can guess or alter this reference to retrieve arbitrary submissions. The vulnerability is classified as CWE‑284: Improper Access Control, indicating that legitimate users are able to bypass intended access restrictions.

Affected Systems

The affected product is Open Forms from maykinmedia. All releases prior to 3.3.13 for the 3.3.x line and prior to 3.4.5 for the 3.4.x line are vulnerable. Versions 3.3.13 and 3.4.5, and any later releases, contain the fix.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the moderate severity range; however, the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack requires a legitimate authenticated session, after which an attacker can guess a submission reference or tamper with the cosign link to gain unauthorized access to other users’ submission data. No publicly known exploit is available at this time, but the entry is remediated by updating the product to the patched versions.

Generated by OpenCVE AI on March 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open Forms to version 3.3.13 or 3.4.5 (or later) to apply the fix.

Generated by OpenCVE AI on March 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Maykinmedia
Maykinmedia open Forms
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*
Vendors & Products Maykinmedia
Maykinmedia open Forms

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-formulieren
Open-formulieren open-forms
Vendors & Products Open-formulieren
Open-formulieren open-forms

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.
Title Open Forms possible to view submission details of other people than intended
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Maykinmedia Open Forms
Open-formulieren Open-forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:30:48.578Z

Reserved: 2026-03-03T14:25:19.246Z

Link: CVE-2026-28803

cve-icon Vulnrichment

Updated: 2026-03-11T17:30:38.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:40.630

Modified: 2026-03-17T19:19:19.560

Link: CVE-2026-28803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:52Z

Weaknesses