CVE-2026-28803 Overview
CVE-2026-28803 is an Insecure Direct Object Reference (IDOR) vulnerability in Open Forms, a platform that allows users to create and publish smart forms. The vulnerability exists in the cosigning workflow where submission references can be guessed or manipulated by authenticated attackers to access arbitrary form submissions.
When a cosigner receives an email with instructions or a deep-link to start the cosign flow, the submission reference is communicated so that the user can retrieve the submission to be cosigned. However, attackers can guess a code or modify the received code to look up arbitrary submissions after logging in via authentication providers like DigiD or eHerkenning, depending on form configuration.
Critical Impact
Authenticated attackers can access confidential form submission data belonging to other users by manipulating submission reference codes, potentially exposing sensitive personal or organizational information.
Affected Products
- Open Forms versions prior to 3.3.13 (3.3.x branch)
- Open Forms versions prior to 3.4.5 (3.4.x branch)
Discovery Timeline
- March 11, 2026 - CVE CVE-2026-28803 published to NVD
- March 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28803
Vulnerability Analysis
This vulnerability falls under CWE-284 (Improper Access Control), manifesting as an Insecure Direct Object Reference in the cosigning functionality. The core issue lies in insufficient validation of submission reference codes during the cosign retrieval process. When authenticated users access the cosign flow, the application fails to properly verify that the requesting user has legitimate authorization to access the specific submission.
The vulnerability requires network access and authenticated status (via configured identity providers) but does not require any user interaction to exploit. This results in a confidentiality breach where attackers can access form submissions containing potentially sensitive data from other users.
Root Cause
The root cause is improper access control in the submission lookup mechanism during the cosigning workflow. The application trusts the submission reference code provided by the user without adequately verifying ownership or authorization. This allows authenticated users to enumerate or manipulate reference codes to access submissions they should not have permission to view.
Attack Vector
The attack is conducted over the network by an authenticated user. The attacker first logs in using a legitimate authentication method configured for the form (DigiD, eHerkenning, or similar identity providers). Once authenticated, they can:
- Receive a legitimate cosign request containing a submission reference code
- Analyze the structure and pattern of the reference code
- Modify or guess alternative reference codes
- Submit requests with manipulated codes to retrieve other users' form submissions
The vulnerability mechanism involves insufficient authorization checks during submission retrieval. When a cosigner accesses the cosign endpoint with a submission reference, the application retrieves the submission data without properly validating that the authenticated user is the intended cosigner for that specific submission. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-28803
Indicators of Compromise
- Unusual patterns of cosign endpoint access from single authenticated users
- Multiple failed or successful submission lookups with sequential or similar reference codes
- Access logs showing submission retrievals for submissions not associated with the requesting user's identity
Detection Strategies
- Monitor authentication logs for users accessing multiple cosign submissions in short time periods
- Implement anomaly detection on the cosign API endpoint to identify reference code enumeration attempts
- Review access logs for patterns indicating submission reference manipulation (incremental IDs, similar patterns)
- Alert on high-frequency requests to cosign-related endpoints from individual authenticated sessions
Monitoring Recommendations
- Enable detailed logging on all cosign workflow endpoints including submission reference codes and user identities
- Implement rate limiting on submission lookup functionality
- Deploy application-layer monitoring to correlate authentication events with submission access patterns
- Configure alerts for failed authorization attempts on submission retrieval endpoints
How to Mitigate CVE-2026-28803
Immediate Actions Required
- Upgrade Open Forms to version 3.3.13 or later (for 3.3.x deployments)
- Upgrade Open Forms to version 3.4.5 or later (for 3.4.x deployments)
- Review access logs for signs of exploitation prior to patching
- Notify affected users if unauthorized submission access is detected
Patch Information
The vulnerability is fixed in Open Forms versions 3.3.13 and 3.4.5. Organizations should upgrade to these versions or later immediately. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the cosigning functionality until the update can be applied
- Implement additional network-layer access controls to restrict access to cosign endpoints
- Enable enhanced logging and monitoring to detect potential exploitation attempts
- Review and strengthen submission reference code generation to use cryptographically secure, non-guessable values
The recommended approach is to apply the official patches as soon as possible, as workarounds may not fully address the underlying access control issue.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
