Open Forms: Attackers can guess or modify cosign links

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Open Forms: Attackers can guess or modify cosign links

CVE-2026-28803

Summary

Older versions of Open Forms let attackers access sensitive submissions by guessing or altering cosign links. This means they could see or alter private information. Update to version 3.3.13 or 3.4.5 to fix this.

Original title

Original description

Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.

nvd CVSS3.1 6.5

Vulnerability type

CWE-284 Improper Access Control

https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm...

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026