CVE-2026-47266
Deferred Deferred - Pending Action
Unauthenticated Submission Modification in Formie Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47266
EUVD
EUVD-2026-33422
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
formie formie to 2.2.21 (inc)
formie formie to 3.1.26 (inc)
verbb formie 2.2.21
verbb formie 3.1.26
verbb formie to 2.2.21 (exc)
verbb formie to 3.1.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47266 is a vulnerability in the Formie plugin for Craft CMS that allows unauthenticated users to modify existing form submissions. This happens because the plugin accepted submission editing requests without proper authentication, allowing attackers to post a known or guessed submission ID to the endpoint formie/submissions/save-submission and overwrite submissions.

The vulnerability affects versions prior to 2.2.21 and 3.1.26 and was fixed by adding a submissionEditToken to secure submission editing requests.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to alter form submissions without authentication. This could lead to data integrity issues, where submitted information is changed or corrupted.

Such unauthorized modifications could affect business processes relying on accurate form data, potentially causing operational disruptions or misleading data collection.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint formie/submissions/save-submission, especially those that include submission IDs that are known or guessed.

You can use network monitoring or web server logs to identify such suspicious requests.

  • Use command-line tools like curl or wget to test if the endpoint accepts unauthenticated submission edits.
  • Example curl command to test the vulnerability (replace URL and submission ID accordingly):

curl -X POST https://yourdomain.com/formie/submissions/save-submission -d 'submissionId=KNOWN_OR_GUESSED_ID&other_form_data=...' -v

  • Check web server access logs for POST requests to formie/submissions/save-submission without authentication.
Mitigation Strategies

Immediate mitigation steps include updating the Formie plugin to version 2.2.21 or 3.1.26 or later, where the vulnerability is fixed by adding a submissionEditToken to secure submission editing requests.

If updating immediately is not possible, temporarily block unauthenticated access to the endpoint formie/submissions/save-submission or disable front-end submission editing to prevent unauthorized modifications.

Compliance Impact

The vulnerability allows unauthenticated users to modify existing form submissions by guessing or knowing submission IDs, which could lead to unauthorized data alteration.

Such unauthorized modification of data can impact compliance with data protection regulations like GDPR and HIPAA, which require ensuring the integrity and confidentiality of personal and sensitive information.

If exploited, this vulnerability could result in data integrity issues, unauthorized data changes, and potential breaches of privacy obligations mandated by these standards.

Applying the security patches in versions 2.2.21 and 3.1.26, which introduce a submissionEditToken to secure submission editing, helps mitigate these compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart