CVE-2026-28803
Insecure Direct Object Reference in Open Forms Cosign Feature
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maykinmedia | open_forms | to 3.3.13 (exc) |
| maykinmedia | open_forms | From 3.4.0 (inc) to 3.4.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28803 is an improper access control vulnerability in Open Formulieren (open-forms) versions prior to 3.3.13 and 3.4.5. It affects the cosigning feature where a cosigner receives an email with a submission reference code or deep-link to approve a submission.'}, {'type': 'paragraph', 'content': "Attackers who have logged in (e.g., via DigiD or eHerkenning) can guess or manipulate this submission reference code to access other users' submissions without authorization. The risk depends on how predictable the submission references are; sequential references make guessing easier, while random references make it highly improbable."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by adding a one-time-password verification step, rate limiting, enhanced audit logging, limiting submission retention time, and ensuring already cosigned submissions are not vulnerable.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive submission data by attackers who guess or manipulate submission reference codes after logging in.
The confidentiality of user submissions is at risk, potentially exposing personal or sensitive information contained in the forms.
The severity is moderate with a CVSS score of 6.5, indicating a significant confidentiality impact but no impact on integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing audit logs for suspicious access patterns. Specifically, look for multiple retrievals of submissions or access attempts long after a submission has been completed, which may indicate exploitation.
Open Forms provides a detection script named ./bin/report_completed_submissions_access.py that scans audit logs to identify such suspicious activities.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Open Forms to version 3.3.13 or 3.4.5 or later, where the vulnerability is fixed.
- Implement the one-time-password (OTP) verification step in the submission lookup flow to ensure only authorized users can access submissions.
- Apply rate limiting on lookup and verification endpoints to reduce the risk of brute-force guessing attacks.
- Review and monitor enhanced audit logs for any unauthorized access attempts.
- Consider disabling the /submissions/<form_slug>/find/ endpoint as a temporary workaround, understanding that this will break cosigning functionality.
- Limit submission retention time to reduce the window of opportunity for guessing attacks (configurable, max 90 days).