CVE-2026-14792
Received Received - Intake

Improper Access Control in Formbricks Survey Handler

Vulnerability report for CVE-2026-14792, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
formbricks formbricks 5.0.0
formbricks formbricks 5.1.0-rc.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Formbricks 5.0.0 involves improper access controls in the Survey Handler component, specifically in the file apps/web/modules/survey/link/actions.ts.

Two main security issues were identified: first, the `isSurveyResponsePresentAction` endpoint lacked IP-based rate limiting and server-side validation for the `isSingleResponsePerEmailEnabled` feature. This allowed attackers to perform email-enumeration attacks by repeatedly querying the endpoint with arbitrary email addresses to check if responses had been submitted, and at an unbounded rate.

Second, the `validateSurveyPinAction` endpoint was vulnerable to brute-force PIN guessing attacks due to the absence of rate limiting.

Both endpoints were unprotected, enabling potential abuse such as email enumeration, feature bypass, and brute-force attacks.

The fix introduced rate limiting (10 requests per minute per IP) and added server-side validation to ensure the single-response-per-email feature is enabled before processing requests.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform email enumeration attacks, which can reveal whether specific email addresses have submitted survey responses.

It also enables brute-force attacks on survey PINs, potentially allowing unauthorized access to survey responses or manipulation of survey data.

Such unauthorized access or information leakage can compromise the confidentiality and integrity of survey data.

Detection Guidance

This vulnerability involves abuse of two endpoints: `isSurveyResponsePresentAction` and `validateSurveyPinAction`. Detection can focus on identifying unusual or excessive requests to these endpoints.

  • Monitor network traffic or server logs for high-frequency requests to the `isSurveyResponsePresentAction` endpoint, especially repeated queries with different email addresses.
  • Look for repeated failed attempts or brute-force style requests to the `validateSurveyPinAction` endpoint.

Commands to detect such activity might include using tools like `grep` or `awk` on server logs to filter requests to these endpoints, for example:

  • grep 'isSurveyResponsePresentAction' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr
  • grep 'validateSurveyPinAction' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

These commands count the number of requests per IP address to the vulnerable endpoints, helping identify potential abuse or brute-force attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Formbricks to version 5.1.0-rc.1 or later, where the vulnerability is fixed.

The fix includes implementing IP-based rate limiting on the vulnerable endpoints to restrict requests to 10 per minute per IP address, preventing brute-force and enumeration attacks.

Additionally, server-side validation was added to ensure that the `isSingleResponsePerEmailEnabled` feature is enabled before processing requests on the `isSurveyResponsePresentAction` endpoint.

If upgrading immediately is not possible, consider implementing temporary rate limiting or firewall rules to restrict excessive requests to these endpoints.

Compliance Impact

The vulnerability in Formbricks 5.0.0 involves improper access controls that allow remote exploitation through email enumeration and brute-force PIN guessing attacks. This could lead to unauthorized access to survey response information, potentially exposing sensitive or personal data.

Such unauthorized access and data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data access and protection against unauthorized disclosure.

The fix introduced rate limiting and validation checks to prevent these attacks, thereby improving the security posture and helping to maintain compliance with these standards by reducing the risk of data exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart