{"id":"CVE-2026-28803","summary":"Open Forms possible to view submission details of other people than intended","details":"Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5.","aliases":["GHSA-2g49-rfm6-5qj5"],"modified":"2026-04-10T05:41:25.925421Z","published":"2026-03-11T15:52:08.464Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28803.json","cwe_ids":["CWE-284"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28803.json"},{"type":"ADVISORY","url":"https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28803"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-formulieren/open-forms","events":[{"introduced":"d106db0b3eb063073ffa8d5a9056645652077b5c"},{"fixed":"b7372aae0419ad3881e0792fd3c7dacd991bb90d"}],"database_specific":{"versions":[{"introduced":"3.4.0-alpha.0"},{"fixed":"3.4.5"}]}},{"type":"GIT","repo":"https://github.com/open-formulieren/open-forms","events":[{"introduced":"0"},{"fixed":"70ce5fae45b07d4625e7ae6b0a49c1498f23cd3e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.13"}]}}],"versions":["1.0.0","1.0.0-rc.0","1.0.0-rc.1","1.0.0-rc.2","1.0.0-rc.3","1.0.0-rc.4","1.5.0-hodm.1","1.5.0-hodm.2","2.0.0-beta.0","2.1.0-alpha.0","2.1.0-alpha.2","2.2.1-beta.0","2.3.0","2.3.0-alpha.0","2.3.0-alpha.1+hodm","2.3.0-haalcentraalhr.0","2.3.0-hodm.1","2.3.0-hodm.2","2.4.0","2.4.0-alpha.0","2.5.0","2.5.0-alpha.0","2.6.0","2.6.0-alpha.0","2.7.0","2.7.0-alpha.0","2.8.0-alpha.0","2.8.0-beta.0","3.0.0","3.0.0-alpha.0","3.0.0-rc.0","3.0.0-rc.1","3.0.1","3.1.0","3.1.0-alpha.0","3.1.0-alpha.1","3.2.0","3.2.0-alpha.0","3.2.0-alpha.1","3.3.0","3.3.0-alpha.0","3.3.0-alpha.1","3.3.0-rc.0","3.3.1","3.3.1-alpha.0","3.3.10","3.3.11","3.3.12","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.3.9","3.4.0","3.4.0-alpha.0","3.4.0-alpha.1","3.4.0-alpha.2","3.4.0-leiden.0","3.4.0-leiden.1","3.4.1","3.4.2","3.4.3","3.4.4","POC","before-sdk","demodam","mvp","perf-profiling-before-logic-refactor","revert_dh","sprint-10","sprint-11","sprint-4","sprint-5","sprint-6","sprint-7","sprint-8","sprint-9","still-functional","tag-push-test"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28803.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}