CVE-2026-28803

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28803

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28803.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28803

Aliases

GHSA-2g49-rfm6-5qj5

Published

2026-03-11T15:52:08.464Z

Modified

2026-04-10T05:41:25.925421Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Open Forms possible to view submission details of other people than intended

Details

Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28803.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/open-formulieren/open-forms

Affected ranges

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

d106db0b3eb063073ffa8d5a9056645652077b5c

Fixed

b7372aae0419ad3881e0792fd3c7dacd991bb90d

Database specific

{
    "versions": [
        {
            "introduced": "3.4.0-alpha.0"
        },
        {
            "fixed": "3.4.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

Fixed

70ce5fae45b07d4625e7ae6b0a49c1498f23cd3e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.13"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-rc.0

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.5.0-hodm.1

1.5.0-hodm.2

2.*

2.0.0-beta.0

2.1.0-alpha.0

2.1.0-alpha.2

2.2.1-beta.0

2.3.0

2.3.0-alpha.0

2.3.0-alpha.1+hodm

2.3.0-haalcentraalhr.0

2.3.0-hodm.1

2.3.0-hodm.2

2.4.0

2.4.0-alpha.0

2.5.0

2.5.0-alpha.0

2.6.0

2.6.0-alpha.0

2.7.0

2.7.0-alpha.0

2.8.0-alpha.0

2.8.0-beta.0

3.*

3.0.0

3.0.0-alpha.0

3.0.0-rc.0

3.0.0-rc.1

3.0.1

3.1.0

3.1.0-alpha.0

3.1.0-alpha.1

3.2.0

3.2.0-alpha.0

3.2.0-alpha.1

3.3.0

3.3.0-alpha.0

3.3.0-alpha.1

3.3.0-rc.0

3.3.1

3.3.1-alpha.0

3.3.10

3.3.11

3.3.12

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4.0

3.4.0-alpha.0

3.4.0-alpha.1

3.4.0-alpha.2

3.4.0-leiden.0

3.4.0-leiden.1

3.4.1

3.4.2

3.4.3

3.4.4

Other

POC

before-sdk

demodam

mvp

perf-profiling-before-logic-refactor

revert_dh

sprint-10

sprint-11

sprint-4

sprint-5

sprint-6

sprint-7

sprint-8

sprint-9

still-functional

tag-push-test

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28803.json"