CVE-2026-28803
Received Received - Intake
Insecure Direct Object Reference in Open Forms Cosign Feature

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28803
EUVD
EUVD-2026-11198
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
maykinmedia open_forms to 3.3.13 (exc)
maykinmedia open_forms From 3.4.0 (inc) to 3.4.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28803 is an improper access control vulnerability in Open Formulieren (open-forms) versions prior to 3.3.13 and 3.4.5. It affects the cosigning feature where a cosigner receives an email with a submission reference code or deep-link to approve a submission.'}, {'type': 'paragraph', 'content': "Attackers who have logged in (e.g., via DigiD or eHerkenning) can guess or manipulate this submission reference code to access other users' submissions without authorization. The risk depends on how predictable the submission references are; sequential references make guessing easier, while random references make it highly improbable."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding a one-time-password verification step, rate limiting, enhanced audit logging, limiting submission retention time, and ensuring already cosigned submissions are not vulnerable.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive submission data by attackers who guess or manipulate submission reference codes after logging in.

The confidentiality of user submissions is at risk, potentially exposing personal or sensitive information contained in the forms.

The severity is moderate with a CVSS score of 6.5, indicating a significant confidentiality impact but no impact on integrity or availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by analyzing audit logs for suspicious access patterns. Specifically, look for multiple retrievals of submissions or access attempts long after a submission has been completed, which may indicate exploitation.

Open Forms provides a detection script named ./bin/report_completed_submissions_access.py that scans audit logs to identify such suspicious activities.

Mitigation Strategies

Immediate mitigation steps include upgrading Open Forms to version 3.3.13 or 3.4.5 or later, where the vulnerability is fixed.

  • Implement the one-time-password (OTP) verification step in the submission lookup flow to ensure only authorized users can access submissions.
  • Apply rate limiting on lookup and verification endpoints to reduce the risk of brute-force guessing attacks.
  • Review and monitor enhanced audit logs for any unauthorized access attempts.
  • Consider disabling the /submissions/<form_slug>/find/ endpoint as a temporary workaround, understanding that this will break cosigning functionality.
  • Limit submission retention time to reduce the window of opportunity for guessing attacks (configurable, max 90 days).
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart